Merge "Implement IntegrityTransform"
diff --git a/src/java/com/android/ike/ikev2/exceptions/AuthenticationFailedException.java b/src/java/com/android/ike/ikev2/exceptions/AuthenticationFailedException.java
new file mode 100644
index 0000000..0984abb
--- /dev/null
+++ b/src/java/com/android/ike/ikev2/exceptions/AuthenticationFailedException.java
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.android.ike.ikev2.exceptions;
+
+import com.android.ike.ikev2.message.IkeNotifyPayload;
+
+/**
+ * This exception is thrown when IKE authentication fails.
+ *
+ * <p>There is no associated data.
+ *
+ * @see <a href="https://tools.ietf.org/html/rfc7296#section-2.21.2">RFC 7296, Internet Key Exchange
+ * Protocol Version 2 (IKEv2).
+ */
+public final class AuthenticationFailedException extends IkeException {
+ /**
+ * Construct a instance of AuthenticationFailedException
+ */
+ public AuthenticationFailedException() {
+ super(IkeNotifyPayload.NOTIFY_TYPE_AUTHENTICATION_FAILED);
+ }
+}
diff --git a/src/java/com/android/ike/ikev2/message/IkeNotifyPayload.java b/src/java/com/android/ike/ikev2/message/IkeNotifyPayload.java
index 198773c..49672e1 100644
--- a/src/java/com/android/ike/ikev2/message/IkeNotifyPayload.java
+++ b/src/java/com/android/ike/ikev2/message/IkeNotifyPayload.java
@@ -24,7 +24,10 @@
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
+import java.net.InetAddress;
import java.nio.ByteBuffer;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
import java.util.Set;
/**
@@ -57,6 +60,7 @@
public static final int NOTIFY_TYPE_UNSUPPORTED_CRITICAL_PAYLOAD = 1;
public static final int NOTIFY_TYPE_INVALID_MAJOR_VERSION = 5;
public static final int NOTIFY_TYPE_INVALID_SYNTAX = 7;
+ public static final int NOTIFY_TYPE_AUTHENTICATION_FAILED = 24;
public static final int NOTIFY_TYPE_INVALID_SELECTORS = 39;
public static final int NOTIFY_TYPE_CHILD_SA_NOT_FOUND = 44;
@@ -67,6 +71,8 @@
private static final int NOTIFY_HEADER_LEN = 4;
+ private static final String NAT_DETECTION_DIGEST_ALGORITHM = "SHA-1";
+
private static final Set<Integer> VALID_NOTIFY_TYPES_FOR_CHILD_SA;
static {
@@ -146,6 +152,40 @@
}
/**
+ * Generate NAT DETECTION notification data.
+ *
+ * <p>This method calculates NAT DETECTION notification data which is a SHA-1 digest of the IKE
+ * initiator's SPI, IKE responder's SPI, IP address and port. Source address and port should be
+ * used for generating NAT_DETECTION_SOURCE_IP data. Destination address and port should be used
+ * for generating NAT_DETECTION_DESTINATION_IP data.
+ *
+ * @param initiatorIkeSpi the SPI of IKE initiator
+ * @param responderIkeSpi the SPI of IKE responder
+ * @param ipAddress the IP address
+ * @param port the port
+ * @return the generated NAT DETECTION notification data as a byte array.
+ * @throws NoSuchAlgorithmException when "SHA-1" is not supported by the security provider.
+ */
+ public static byte[] generateNatDetectionData(
+ long initiatorIkeSpi, long responderIkeSpi, InetAddress ipAddress, int port)
+ throws NoSuchAlgorithmException {
+ byte[] rawIpAddr = ipAddress.getAddress();
+
+ ByteBuffer byteBuffer =
+ ByteBuffer.allocate(2 * SPI_LEN_IKE + rawIpAddr.length + IP_PORT_LEN);
+ byteBuffer
+ .putLong(initiatorIkeSpi)
+ .putLong(responderIkeSpi)
+ .put(rawIpAddr)
+ .putShort((short) port);
+
+ MessageDigest natDetectionDataDigest =
+ MessageDigest.getInstance(
+ NAT_DETECTION_DIGEST_ALGORITHM, IkeMessage.getSecurityProvider());
+ return natDetectionDataDigest.digest(byteBuffer.array());
+ }
+
+ /**
* Encode Notify payload to ByteBuffer.
*
* @param nextPayload type of payload that follows this payload.
diff --git a/src/java/com/android/ike/ikev2/message/IkePayload.java b/src/java/com/android/ike/ikev2/message/IkePayload.java
index a1a02bf..2d4d0dd 100644
--- a/src/java/com/android/ike/ikev2/message/IkePayload.java
+++ b/src/java/com/android/ike/ikev2/message/IkePayload.java
@@ -86,6 +86,9 @@
public static final int SPI_NOT_INCLUDED = 0;
+ /** Length of port number in bytes*/
+ public static final int IP_PORT_LEN = 2;
+
@Retention(RetentionPolicy.SOURCE)
@IntDef({DH_GROUP_1024_BIT_MODP, DH_GROUP_2048_BIT_MODP})
public @interface DhGroup {}
diff --git a/tests/iketests/src/java/com/android/ike/ikev2/message/IkeNotifyPayloadTest.java b/tests/iketests/src/java/com/android/ike/ikev2/message/IkeNotifyPayloadTest.java
index 98c9f60..3e9ba80 100644
--- a/tests/iketests/src/java/com/android/ike/ikev2/message/IkeNotifyPayloadTest.java
+++ b/tests/iketests/src/java/com/android/ike/ikev2/message/IkeNotifyPayloadTest.java
@@ -24,12 +24,21 @@
import org.junit.Test;
+import java.net.InetAddress;
import java.nio.ByteBuffer;
public final class IkeNotifyPayloadTest {
private static final String NOTIFY_PAYLOAD_GENERIC_HEADER = "2900001c";
private static final String NOTIFY_PAYLOAD_BODY_RAW_PACKET =
"00004004e54f73b7d83f6beb881eab2051d8663f421d10b0";
+
+ private static final String NAT_DETECTION_SOURCE_IP_DATA_HEX_STRING =
+ "e54f73b7d83f6beb881eab2051d8663f421d10b0";
+ private static final String IKE_INITIATOR_SPI_HEX_STRING = "5f54bf6d8b48e6e1";
+ private static final String IKE_RESPODNER_SPI_HEX_STRING = "0000000000000000";
+ private static final String IP_ADDR = "10.80.80.13";
+ private static final int PORT = 500;
+
private static final int EXPECTED_PROTOCOL_ID = IkePayload.PROTOCOL_ID_UNSET;
private static final int EXPECTED_SPI_SIZE = IkePayload.SPI_LEN_NOT_INCLUDED;
@@ -68,6 +77,21 @@
}
@Test
+ public void testGenerateNatDetectionData() throws Exception {
+ long initiatorIkeSpi = Long.parseLong(IKE_INITIATOR_SPI_HEX_STRING, 16);
+ long responderIkespi = Long.parseLong(IKE_RESPODNER_SPI_HEX_STRING, 16);
+ InetAddress inetAddress = InetAddress.getByName(IP_ADDR);
+
+ byte[] netDetectionData =
+ IkeNotifyPayload.generateNatDetectionData(
+ initiatorIkeSpi, responderIkespi, inetAddress, PORT);
+
+ byte[] expectedBytes =
+ TestUtils.hexStringToByteArray(NAT_DETECTION_SOURCE_IP_DATA_HEX_STRING);
+ assertArrayEquals(expectedBytes, netDetectionData);
+ }
+
+ @Test
public void testEncodeNotifyPayload() throws Exception {
byte[] inputPacket = TestUtils.hexStringToByteArray(NOTIFY_PAYLOAD_BODY_RAW_PACKET);
IkeNotifyPayload payload = new IkeNotifyPayload(false, inputPacket);