1 /*
2  * Copyright (C) 2018 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 package android.net.ipsec.ike;
18 
19 import android.annotation.IntDef;
20 import android.annotation.NonNull;
21 import android.os.PersistableBundle;
22 import android.util.Pair;
23 import android.util.SparseArray;
24 
25 import com.android.internal.net.ipsec.ike.message.IkePayload;
26 import com.android.internal.net.ipsec.ike.message.IkeSaPayload.DhGroupTransform;
27 import com.android.internal.net.ipsec.ike.message.IkeSaPayload.EncryptionTransform;
28 import com.android.internal.net.ipsec.ike.message.IkeSaPayload.IntegrityTransform;
29 import com.android.internal.net.ipsec.ike.message.IkeSaPayload.PrfTransform;
30 import com.android.internal.net.ipsec.ike.message.IkeSaPayload.Transform;
31 import com.android.modules.utils.build.SdkLevel;
32 import com.android.server.vcn.util.PersistableBundleUtils;
33 
34 import java.lang.annotation.Retention;
35 import java.lang.annotation.RetentionPolicy;
36 import java.util.ArrayList;
37 import java.util.Arrays;
38 import java.util.HashSet;
39 import java.util.LinkedHashSet;
40 import java.util.LinkedList;
41 import java.util.List;
42 import java.util.Objects;
43 import java.util.Set;
44 
45 /**
46  * SaProposal represents a proposed configuration to negotiate an IKE or Child SA.
47  *
48  * <p>SaProposal will contain cryptograhic algorithms and key generation materials for the
49  * negotiation of an IKE or Child SA.
50  *
51  * <p>User must provide at least one valid SaProposal when they are creating a new IKE or Child SA.
52  *
53  * @see <a href="https://tools.ietf.org/html/rfc7296#section-3.3">RFC 7296, Internet Key Exchange
54  *     Protocol Version 2 (IKEv2)</a>
55  */
56 public abstract class SaProposal {
57     /** @hide */
58     @Retention(RetentionPolicy.SOURCE)
59     @IntDef({
60         ENCRYPTION_ALGORITHM_3DES,
61         ENCRYPTION_ALGORITHM_AES_CBC,
62         ENCRYPTION_ALGORITHM_AES_CTR,
63         ENCRYPTION_ALGORITHM_AES_GCM_8,
64         ENCRYPTION_ALGORITHM_AES_GCM_12,
65         ENCRYPTION_ALGORITHM_AES_GCM_16,
66         ENCRYPTION_ALGORITHM_CHACHA20_POLY1305
67     })
68     public @interface EncryptionAlgorithm {}
69 
70     /** 3DES Encryption/Ciphering Algorithm. */
71     public static final int ENCRYPTION_ALGORITHM_3DES = 3;
72     /** AES-CBC Encryption/Ciphering Algorithm. */
73     public static final int ENCRYPTION_ALGORITHM_AES_CBC = 12;
74     /** AES-CTR Encryption/Ciphering Algorithm. */
75     public static final int ENCRYPTION_ALGORITHM_AES_CTR = 13;
76     /**
77      * AES-GCM Authentication/Integrity + Encryption/Ciphering Algorithm with 8-octet ICV
78      * (truncation).
79      */
80     public static final int ENCRYPTION_ALGORITHM_AES_GCM_8 = 18;
81     /**
82      * AES-GCM Authentication/Integrity + Encryption/Ciphering Algorithm with 12-octet ICV
83      * (truncation).
84      */
85     public static final int ENCRYPTION_ALGORITHM_AES_GCM_12 = 19;
86     /**
87      * AES-GCM Authentication/Integrity + Encryption/Ciphering Algorithm with 16-octet ICV
88      * (truncation).
89      */
90     public static final int ENCRYPTION_ALGORITHM_AES_GCM_16 = 20;
91     /**
92      * ChaCha20-Poly1305 Authentication/Integrity + Encryption/Ciphering Algorithm with 16-octet ICV
93      * (truncation).
94      */
95     public static final int ENCRYPTION_ALGORITHM_CHACHA20_POLY1305 = 28;
96 
97     /** @hide */
98     protected static final SparseArray<String> SUPPORTED_ENCRYPTION_ALGO_TO_STR;
99 
100     static {
101         SUPPORTED_ENCRYPTION_ALGO_TO_STR = new SparseArray<>();
SUPPORTED_ENCRYPTION_ALGO_TO_STR.put(ENCRYPTION_ALGORITHM_3DES, "ENCR_3DES")102         SUPPORTED_ENCRYPTION_ALGO_TO_STR.put(ENCRYPTION_ALGORITHM_3DES, "ENCR_3DES");
SUPPORTED_ENCRYPTION_ALGO_TO_STR.put(ENCRYPTION_ALGORITHM_AES_CBC, "ENCR_AES_CBC")103         SUPPORTED_ENCRYPTION_ALGO_TO_STR.put(ENCRYPTION_ALGORITHM_AES_CBC, "ENCR_AES_CBC");
SUPPORTED_ENCRYPTION_ALGO_TO_STR.put(ENCRYPTION_ALGORITHM_AES_CTR, "ENCR_AES_CTR")104         SUPPORTED_ENCRYPTION_ALGO_TO_STR.put(ENCRYPTION_ALGORITHM_AES_CTR, "ENCR_AES_CTR");
SUPPORTED_ENCRYPTION_ALGO_TO_STR.put(ENCRYPTION_ALGORITHM_AES_GCM_8, "ENCR_AES_GCM_8")105         SUPPORTED_ENCRYPTION_ALGO_TO_STR.put(ENCRYPTION_ALGORITHM_AES_GCM_8, "ENCR_AES_GCM_8");
SUPPORTED_ENCRYPTION_ALGO_TO_STR.put(ENCRYPTION_ALGORITHM_AES_GCM_12, "ENCR_AES_GCM_12")106         SUPPORTED_ENCRYPTION_ALGO_TO_STR.put(ENCRYPTION_ALGORITHM_AES_GCM_12, "ENCR_AES_GCM_12");
SUPPORTED_ENCRYPTION_ALGO_TO_STR.put(ENCRYPTION_ALGORITHM_AES_GCM_16, "ENCR_AES_GCM_16")107         SUPPORTED_ENCRYPTION_ALGO_TO_STR.put(ENCRYPTION_ALGORITHM_AES_GCM_16, "ENCR_AES_GCM_16");
SUPPORTED_ENCRYPTION_ALGO_TO_STR.put( ENCRYPTION_ALGORITHM_CHACHA20_POLY1305, "ENCR_CHACHA20_POLY1305")108         SUPPORTED_ENCRYPTION_ALGO_TO_STR.put(
109                 ENCRYPTION_ALGORITHM_CHACHA20_POLY1305, "ENCR_CHACHA20_POLY1305");
110     }
111 
112     /**
113      * Key length unused.
114      *
115      * <p>This value should only be used with the Encryption/Ciphering Algorithm that accepts a
116      * fixed key size such as {@link #ENCRYPTION_ALGORITHM_3DES}.
117      */
118     public static final int KEY_LEN_UNUSED = 0;
119     /** AES Encryption/Ciphering Algorithm key length 128 bits. */
120     public static final int KEY_LEN_AES_128 = 128;
121     /** AES Encryption/Ciphering Algorithm key length 192 bits. */
122     public static final int KEY_LEN_AES_192 = 192;
123     /** AES Encryption/Ciphering Algorithm key length 256 bits. */
124     public static final int KEY_LEN_AES_256 = 256;
125 
126     /** @hide */
127     @Retention(RetentionPolicy.SOURCE)
128     @IntDef({
129         PSEUDORANDOM_FUNCTION_HMAC_SHA1,
130         PSEUDORANDOM_FUNCTION_AES128_XCBC,
131         PSEUDORANDOM_FUNCTION_SHA2_256,
132         PSEUDORANDOM_FUNCTION_SHA2_384,
133         PSEUDORANDOM_FUNCTION_SHA2_512,
134         PSEUDORANDOM_FUNCTION_AES128_CMAC
135     })
136     public @interface PseudorandomFunction {}
137 
138     /** HMAC-SHA1 Pseudorandom Function. */
139     public static final int PSEUDORANDOM_FUNCTION_HMAC_SHA1 = 2;
140     /** AES128-XCBC Pseudorandom Function. */
141     public static final int PSEUDORANDOM_FUNCTION_AES128_XCBC = 4;
142     /** HMAC-SHA2-256 Pseudorandom Function. */
143     public static final int PSEUDORANDOM_FUNCTION_SHA2_256 = 5;
144     /** HMAC-SHA2-384 Pseudorandom Function. */
145     public static final int PSEUDORANDOM_FUNCTION_SHA2_384 = 6;
146     /** HMAC-SHA2-384 Pseudorandom Function. */
147     public static final int PSEUDORANDOM_FUNCTION_SHA2_512 = 7;
148     /** AES128-CMAC Pseudorandom Function. */
149     public static final int PSEUDORANDOM_FUNCTION_AES128_CMAC = 8;
150 
151     /** @hide */
152     protected static final SparseArray<String> SUPPORTED_PRF_TO_STR;
153 
154     static {
155         SUPPORTED_PRF_TO_STR = new SparseArray<>();
SUPPORTED_PRF_TO_STR.put(PSEUDORANDOM_FUNCTION_HMAC_SHA1, "PRF_HMAC_SHA1")156         SUPPORTED_PRF_TO_STR.put(PSEUDORANDOM_FUNCTION_HMAC_SHA1, "PRF_HMAC_SHA1");
SUPPORTED_PRF_TO_STR.put(PSEUDORANDOM_FUNCTION_AES128_XCBC, "PRF_AES128_XCBC")157         SUPPORTED_PRF_TO_STR.put(PSEUDORANDOM_FUNCTION_AES128_XCBC, "PRF_AES128_XCBC");
SUPPORTED_PRF_TO_STR.put(PSEUDORANDOM_FUNCTION_SHA2_256, "PRF_HMAC2_256")158         SUPPORTED_PRF_TO_STR.put(PSEUDORANDOM_FUNCTION_SHA2_256, "PRF_HMAC2_256");
SUPPORTED_PRF_TO_STR.put(PSEUDORANDOM_FUNCTION_SHA2_384, "PRF_HMAC2_384")159         SUPPORTED_PRF_TO_STR.put(PSEUDORANDOM_FUNCTION_SHA2_384, "PRF_HMAC2_384");
SUPPORTED_PRF_TO_STR.put(PSEUDORANDOM_FUNCTION_SHA2_512, "PRF_HMAC2_512")160         SUPPORTED_PRF_TO_STR.put(PSEUDORANDOM_FUNCTION_SHA2_512, "PRF_HMAC2_512");
SUPPORTED_PRF_TO_STR.put(PSEUDORANDOM_FUNCTION_AES128_CMAC, "PRF_AES128_CMAC")161         SUPPORTED_PRF_TO_STR.put(PSEUDORANDOM_FUNCTION_AES128_CMAC, "PRF_AES128_CMAC");
162     }
163 
164     /** @hide */
165     @Retention(RetentionPolicy.SOURCE)
166     @IntDef({
167         INTEGRITY_ALGORITHM_NONE,
168         INTEGRITY_ALGORITHM_HMAC_SHA1_96,
169         INTEGRITY_ALGORITHM_AES_XCBC_96,
170         INTEGRITY_ALGORITHM_AES_CMAC_96,
171         INTEGRITY_ALGORITHM_HMAC_SHA2_256_128,
172         INTEGRITY_ALGORITHM_HMAC_SHA2_384_192,
173         INTEGRITY_ALGORITHM_HMAC_SHA2_512_256
174     })
175     public @interface IntegrityAlgorithm {}
176 
177     /** None Authentication/Integrity Algorithm. */
178     public static final int INTEGRITY_ALGORITHM_NONE = 0;
179     /** HMAC-SHA1 Authentication/Integrity Algorithm. */
180     public static final int INTEGRITY_ALGORITHM_HMAC_SHA1_96 = 2;
181     /** AES-XCBC-96 Authentication/Integrity Algorithm. */
182     public static final int INTEGRITY_ALGORITHM_AES_XCBC_96 = 5;
183     /** AES-CMAC-96 Authentication/Integrity Algorithm. */
184     public static final int INTEGRITY_ALGORITHM_AES_CMAC_96 = 8;
185     /** HMAC-SHA256 Authentication/Integrity Algorithm with 128-bit truncation. */
186     public static final int INTEGRITY_ALGORITHM_HMAC_SHA2_256_128 = 12;
187     /** HMAC-SHA384 Authentication/Integrity Algorithm with 192-bit truncation. */
188     public static final int INTEGRITY_ALGORITHM_HMAC_SHA2_384_192 = 13;
189     /** HMAC-SHA512 Authentication/Integrity Algorithm with 256-bit truncation. */
190     public static final int INTEGRITY_ALGORITHM_HMAC_SHA2_512_256 = 14;
191 
192     /** @hide */
193     protected static final SparseArray<String> SUPPORTED_INTEGRITY_ALGO_TO_STR;
194 
195     static {
196         SUPPORTED_INTEGRITY_ALGO_TO_STR = new SparseArray<>();
SUPPORTED_INTEGRITY_ALGO_TO_STR.put(INTEGRITY_ALGORITHM_NONE, "AUTH_NONE")197         SUPPORTED_INTEGRITY_ALGO_TO_STR.put(INTEGRITY_ALGORITHM_NONE, "AUTH_NONE");
SUPPORTED_INTEGRITY_ALGO_TO_STR.put(INTEGRITY_ALGORITHM_HMAC_SHA1_96, "AUTH_HMAC_SHA1_96")198         SUPPORTED_INTEGRITY_ALGO_TO_STR.put(INTEGRITY_ALGORITHM_HMAC_SHA1_96, "AUTH_HMAC_SHA1_96");
SUPPORTED_INTEGRITY_ALGO_TO_STR.put(INTEGRITY_ALGORITHM_AES_XCBC_96, "AUTH_AES_XCBC_96")199         SUPPORTED_INTEGRITY_ALGO_TO_STR.put(INTEGRITY_ALGORITHM_AES_XCBC_96, "AUTH_AES_XCBC_96");
SUPPORTED_INTEGRITY_ALGO_TO_STR.put(INTEGRITY_ALGORITHM_AES_CMAC_96, "AUTH_AES_CMAC_96")200         SUPPORTED_INTEGRITY_ALGO_TO_STR.put(INTEGRITY_ALGORITHM_AES_CMAC_96, "AUTH_AES_CMAC_96");
SUPPORTED_INTEGRITY_ALGO_TO_STR.put( INTEGRITY_ALGORITHM_HMAC_SHA2_256_128, "AUTH_HMAC_SHA2_256_128")201         SUPPORTED_INTEGRITY_ALGO_TO_STR.put(
202                 INTEGRITY_ALGORITHM_HMAC_SHA2_256_128, "AUTH_HMAC_SHA2_256_128");
SUPPORTED_INTEGRITY_ALGO_TO_STR.put( INTEGRITY_ALGORITHM_HMAC_SHA2_384_192, "AUTH_HMAC_SHA2_384_192")203         SUPPORTED_INTEGRITY_ALGO_TO_STR.put(
204                 INTEGRITY_ALGORITHM_HMAC_SHA2_384_192, "AUTH_HMAC_SHA2_384_192");
SUPPORTED_INTEGRITY_ALGO_TO_STR.put( INTEGRITY_ALGORITHM_HMAC_SHA2_512_256, "AUTH_HMAC_SHA2_512_256")205         SUPPORTED_INTEGRITY_ALGO_TO_STR.put(
206                 INTEGRITY_ALGORITHM_HMAC_SHA2_512_256, "AUTH_HMAC_SHA2_512_256");
207     }
208 
209     /** @hide */
210     @Retention(RetentionPolicy.SOURCE)
211     @IntDef({
212         DH_GROUP_NONE,
213         DH_GROUP_1024_BIT_MODP,
214         DH_GROUP_1536_BIT_MODP,
215         DH_GROUP_2048_BIT_MODP,
216         DH_GROUP_3072_BIT_MODP,
217         DH_GROUP_4096_BIT_MODP,
218         DH_GROUP_CURVE_25519
219     })
220     public @interface DhGroup {}
221 
222     /** None Diffie-Hellman Group. */
223     public static final int DH_GROUP_NONE = 0;
224     /** 1024-bit MODP Diffie-Hellman Group. */
225     public static final int DH_GROUP_1024_BIT_MODP = 2;
226     /** 1536-bit MODP Diffie-Hellman Group. */
227     public static final int DH_GROUP_1536_BIT_MODP = 5;
228     /** 2048-bit MODP Diffie-Hellman Group. */
229     public static final int DH_GROUP_2048_BIT_MODP = 14;
230     /** 3072-bit MODP Diffie-Hellman Group. */
231     public static final int DH_GROUP_3072_BIT_MODP = 15;
232     /** 4096-bit MODP Diffie-Hellman Group. */
233     public static final int DH_GROUP_4096_BIT_MODP = 16;
234     /** Elliptic Curve Diffie-Hellman 25519. */
235     public static final int DH_GROUP_CURVE_25519 = 31;
236 
237     private static final SparseArray<String> SUPPORTED_DH_GROUP_TO_STR;
238 
239     static {
240         SUPPORTED_DH_GROUP_TO_STR = new SparseArray<>();
SUPPORTED_DH_GROUP_TO_STR.put(DH_GROUP_NONE, "DH_NONE")241         SUPPORTED_DH_GROUP_TO_STR.put(DH_GROUP_NONE, "DH_NONE");
SUPPORTED_DH_GROUP_TO_STR.put(DH_GROUP_1024_BIT_MODP, "DH_1024_BIT_MODP")242         SUPPORTED_DH_GROUP_TO_STR.put(DH_GROUP_1024_BIT_MODP, "DH_1024_BIT_MODP");
SUPPORTED_DH_GROUP_TO_STR.put(DH_GROUP_1536_BIT_MODP, "DH_1536_BIT_MODP")243         SUPPORTED_DH_GROUP_TO_STR.put(DH_GROUP_1536_BIT_MODP, "DH_1536_BIT_MODP");
SUPPORTED_DH_GROUP_TO_STR.put(DH_GROUP_2048_BIT_MODP, "DH_2048_BIT_MODP")244         SUPPORTED_DH_GROUP_TO_STR.put(DH_GROUP_2048_BIT_MODP, "DH_2048_BIT_MODP");
SUPPORTED_DH_GROUP_TO_STR.put(DH_GROUP_3072_BIT_MODP, "DH_3072_BIT_MODP")245         SUPPORTED_DH_GROUP_TO_STR.put(DH_GROUP_3072_BIT_MODP, "DH_3072_BIT_MODP");
SUPPORTED_DH_GROUP_TO_STR.put(DH_GROUP_4096_BIT_MODP, "DH_4096_BIT_MODP")246         SUPPORTED_DH_GROUP_TO_STR.put(DH_GROUP_4096_BIT_MODP, "DH_4096_BIT_MODP");
SUPPORTED_DH_GROUP_TO_STR.put(DH_GROUP_CURVE_25519, "DH_GROUP_CURVE_25519")247         SUPPORTED_DH_GROUP_TO_STR.put(DH_GROUP_CURVE_25519, "DH_GROUP_CURVE_25519");
248     }
249 
250     private static final String PROTOCOL_ID_KEY = "mProtocolId";
251     /** @hide */
252     protected static final String ENCRYPT_ALGO_KEY = "mEncryptionAlgorithms";
253     /** @hide */
254     protected static final String INTEGRITY_ALGO_KEY = "mIntegrityAlgorithms";
255     /** @hide */
256     protected static final String DH_GROUP_KEY = "mDhGroups";
257 
258     @IkePayload.ProtocolId private final int mProtocolId;
259     private final EncryptionTransform[] mEncryptionAlgorithms;
260     private final IntegrityTransform[] mIntegrityAlgorithms;
261     private final DhGroupTransform[] mDhGroups;
262 
263     /** @hide */
SaProposal( @kePayload.ProtocolId int protocol, EncryptionTransform[] encryptionAlgos, IntegrityTransform[] integrityAlgos, DhGroupTransform[] dhGroups)264     protected SaProposal(
265             @IkePayload.ProtocolId int protocol,
266             EncryptionTransform[] encryptionAlgos,
267             IntegrityTransform[] integrityAlgos,
268             DhGroupTransform[] dhGroups) {
269         mProtocolId = protocol;
270         mEncryptionAlgorithms = encryptionAlgos;
271         mIntegrityAlgorithms = integrityAlgos;
272         mDhGroups = dhGroups;
273     }
274 
275     /**
276      * Constructs this object by deserializing a PersistableBundle
277      *
278      * @hide
279      */
280     @NonNull
fromPersistableBundle(@onNull PersistableBundle in)281     public static SaProposal fromPersistableBundle(@NonNull PersistableBundle in) {
282         Objects.requireNonNull(in, "PersistableBundle is null");
283 
284         int protocolId = in.getInt(PROTOCOL_ID_KEY);
285         switch (protocolId) {
286             case IkePayload.PROTOCOL_ID_IKE:
287                 return IkeSaProposal.fromPersistableBundle(in);
288             case IkePayload.PROTOCOL_ID_ESP:
289                 return ChildSaProposal.fromPersistableBundle(in);
290             default:
291                 throw new IllegalArgumentException("Invalid protocol ID " + protocolId);
292         }
293     }
294 
295     /**
296      * Serializes this object to a PersistableBundle
297      *
298      * @hide
299      */
300     @NonNull
toPersistableBundle()301     public PersistableBundle toPersistableBundle() {
302         final PersistableBundle result = new PersistableBundle();
303 
304         result.putInt(PROTOCOL_ID_KEY, mProtocolId);
305 
306         PersistableBundle encryptionBundle =
307                 PersistableBundleUtils.fromList(
308                         Arrays.asList(mEncryptionAlgorithms),
309                         EncryptionTransform::toPersistableBundle);
310         result.putPersistableBundle(ENCRYPT_ALGO_KEY, encryptionBundle);
311 
312         int[] integrityAlgoIdArray = getIntegrityAlgorithms().stream().mapToInt(i -> i).toArray();
313         result.putIntArray(INTEGRITY_ALGO_KEY, integrityAlgoIdArray);
314 
315         int[] dhGroupArray = getDhGroups().stream().mapToInt(i -> i).toArray();
316         result.putIntArray(DH_GROUP_KEY, dhGroupArray);
317 
318         return result;
319     }
320 
321     /**
322      * Check if the current SaProposal from the SA responder is consistent with the selected
323      * reqProposal from the SA initiator.
324      *
325      * <p>As per RFC 7296, The accepted cryptographic suite MUST contain exactly one transform of
326      * each type included in the proposal. But for interoperability reason, IKE library allows
327      * exceptions when the accepted suite or the request proposal has a NONE value transform.
328      * Currently only IntegrityTransform and DhGroupTransform have NONE value transform ID defined.
329      *
330      * @param reqProposal selected SaProposal from SA initiator
331      * @return if current SaProposal from SA responder is consistent with the selected reqProposal
332      *     from SA initiator.
333      * @hide
334      */
isNegotiatedFrom(SaProposal reqProposal)335     public boolean isNegotiatedFrom(SaProposal reqProposal) {
336         return this.mProtocolId == reqProposal.mProtocolId
337                 && isTransformSelectedFrom(mEncryptionAlgorithms, reqProposal.mEncryptionAlgorithms)
338                 && isIntegrityTransformSelectedFrom(
339                         mIntegrityAlgorithms, reqProposal.mIntegrityAlgorithms)
340                 && isDhGroupTransformSelectedFrom(mDhGroups, reqProposal.mDhGroups);
341     }
342 
343     /**
344      * Check if the response transform can be selected from the request transforms
345      *
346      * <p>Package private
347      */
isTransformSelectedFrom(Transform[] selected, Transform[] selectFrom)348     static boolean isTransformSelectedFrom(Transform[] selected, Transform[] selectFrom) {
349         // If the selected proposal has multiple transforms with the same type, the responder MUST
350         // choose a single one.
351         if ((selected.length > 1) || (selected.length == 0) != (selectFrom.length == 0)) {
352             return false;
353         }
354 
355         if (selected.length == 0) return true;
356 
357         return Arrays.asList(selectFrom).contains(selected[0]);
358     }
359 
360     /**
361      * Check if the response integrity transform can be selected from the request integrity
362      * transforms.
363      *
364      * <p>For interoperability reason, it is allowed to do not include integrity transform in the
365      * response proposal when the request proposal has a NONE value integrity transform; and it is
366      * also allowed to have a NONE value integrity transform when the request proposal does not have
367      * integrity transforms.
368      */
isIntegrityTransformSelectedFrom( IntegrityTransform[] selected, IntegrityTransform[] selectFrom)369     private static boolean isIntegrityTransformSelectedFrom(
370             IntegrityTransform[] selected, IntegrityTransform[] selectFrom) {
371         if (selected.length == 0) {
372             selected = new IntegrityTransform[] {new IntegrityTransform(INTEGRITY_ALGORITHM_NONE)};
373         }
374         if (selectFrom.length == 0) {
375             selectFrom =
376                     new IntegrityTransform[] {new IntegrityTransform(INTEGRITY_ALGORITHM_NONE)};
377         }
378         return isTransformSelectedFrom(selected, selectFrom);
379     }
380 
381     /**
382      * Check if the response DH group can be selected from the request DH groups
383      *
384      * <p>For interoperability reason, it is allowed to do not include DH group in the response
385      * proposal when the request proposal has a NONE value DH group; and it is also allowed to have
386      * a NONE value DH group when the request proposal does not have DH groups.
387      */
isDhGroupTransformSelectedFrom( DhGroupTransform[] selected, DhGroupTransform[] selectFrom)388     private static boolean isDhGroupTransformSelectedFrom(
389             DhGroupTransform[] selected, DhGroupTransform[] selectFrom) {
390         if (selected.length == 0) {
391             selected = new DhGroupTransform[] {new DhGroupTransform(DH_GROUP_NONE)};
392         }
393         if (selectFrom.length == 0) {
394             selectFrom = new DhGroupTransform[] {new DhGroupTransform(DH_GROUP_NONE)};
395         }
396         return isTransformSelectedFrom(selected, selectFrom);
397     }
398 
399     /** @hide */
400     @IkePayload.ProtocolId
getProtocolId()401     public int getProtocolId() {
402         return mProtocolId;
403     }
404 
405     /**
406      * Gets all proposed encryption algorithms
407      *
408      * @return A list of Pairs, with the IANA-defined ID for the proposed encryption algorithm as
409      *     the first item, and the key length (in bits) as the second.
410      */
411     @NonNull
getEncryptionAlgorithms()412     public List<Pair<Integer, Integer>> getEncryptionAlgorithms() {
413         final List<Pair<Integer, Integer>> result = new ArrayList<>();
414         for (EncryptionTransform transform : mEncryptionAlgorithms) {
415             result.add(new Pair(transform.id, transform.getSpecifiedKeyLength()));
416         }
417         return result;
418     }
419 
420     /**
421      * Gets all proposed integrity algorithms
422      *
423      * @return A list of the IANA-defined IDs for the proposed integrity algorithms
424      */
425     @NonNull
getIntegrityAlgorithms()426     public List<Integer> getIntegrityAlgorithms() {
427         final List<Integer> result = new ArrayList<>();
428         for (Transform transform : mIntegrityAlgorithms) {
429             result.add(transform.id);
430         }
431         return result;
432     }
433 
434     /**
435      * Gets all proposed Diffie-Hellman groups
436      *
437      * @return A list of the IANA-defined IDs for the proposed Diffie-Hellman groups
438      */
439     @NonNull
getDhGroups()440     public List<Integer> getDhGroups() {
441         final List<Integer> result = new ArrayList<>();
442         for (Transform transform : mDhGroups) {
443             result.add(transform.id);
444         }
445         return result;
446     }
447 
448     /** @hide */
getEncryptionTransforms()449     public EncryptionTransform[] getEncryptionTransforms() {
450         return mEncryptionAlgorithms;
451     }
452 
453     /** @hide */
getIntegrityTransforms()454     public IntegrityTransform[] getIntegrityTransforms() {
455         return mIntegrityAlgorithms;
456     }
457 
458     /** @hide */
getDhGroupTransforms()459     public DhGroupTransform[] getDhGroupTransforms() {
460         return mDhGroups;
461     }
462 
463     /** @hide */
getAllTransformsAsList()464     protected List<Transform> getAllTransformsAsList() {
465         List<Transform> transformList = new LinkedList<>();
466 
467         transformList.addAll(Arrays.asList(mEncryptionAlgorithms));
468         transformList.addAll(Arrays.asList(mIntegrityAlgorithms));
469         transformList.addAll(Arrays.asList(mDhGroups));
470 
471         return transformList;
472     }
473 
474     /**
475      * Return all SA Transforms in this SaProposal to be encoded for building an outbound IKE
476      * message.
477      *
478      * <p>This method should be called by only IKE library.
479      *
480      * @return Array of Transforms to be encoded.
481      * @hide
482      */
getAllTransforms()483     public abstract Transform[] getAllTransforms();
484 
485     /**
486      * This class is an abstract Builder for building a SaProposal.
487      *
488      * @hide
489      */
490     protected abstract static class Builder {
491         protected static final String ERROR_TAG = "Invalid SA Proposal: ";
492 
493         // Use LinkedHashSet to ensure uniqueness and that ordering is maintained.
494         protected final LinkedHashSet<EncryptionTransform> mProposedEncryptAlgos =
495                 new LinkedHashSet<>();
496         protected final LinkedHashSet<PrfTransform> mProposedPrfs = new LinkedHashSet<>();
497         protected final LinkedHashSet<IntegrityTransform> mProposedIntegrityAlgos =
498                 new LinkedHashSet<>();
499         protected final LinkedHashSet<DhGroupTransform> mProposedDhGroups = new LinkedHashSet<>();
500 
501         protected boolean mHasAead = false;
502 
isAead(@ncryptionAlgorithm int algorithm)503         protected static boolean isAead(@EncryptionAlgorithm int algorithm) {
504             switch (algorithm) {
505                 case ENCRYPTION_ALGORITHM_3DES:
506                     // Fall through
507                 case ENCRYPTION_ALGORITHM_AES_CBC:
508                     // Fall through
509                 case ENCRYPTION_ALGORITHM_AES_CTR:
510                     return false;
511                 case ENCRYPTION_ALGORITHM_AES_GCM_8:
512                     // Fall through
513                 case ENCRYPTION_ALGORITHM_AES_GCM_12:
514                     // Fall through
515                 case ENCRYPTION_ALGORITHM_AES_GCM_16:
516                     // Fall through
517                 case ENCRYPTION_ALGORITHM_CHACHA20_POLY1305:
518                     return true;
519                 default:
520                     // Won't hit here.
521                     throw new IllegalArgumentException("Unsupported Encryption Algorithm.");
522             }
523         }
524 
buildEncryptAlgosOrThrow()525         protected EncryptionTransform[] buildEncryptAlgosOrThrow() {
526             if (mProposedEncryptAlgos.isEmpty()) {
527                 throw new IllegalArgumentException(
528                         ERROR_TAG + "Encryption algorithm must be proposed.");
529             }
530 
531             return mProposedEncryptAlgos.toArray(
532                     new EncryptionTransform[mProposedEncryptAlgos.size()]);
533         }
534 
validateAndAddEncryptAlgo( @ncryptionAlgorithm int algorithm, int keyLength, boolean isChild)535         protected void validateAndAddEncryptAlgo(
536                 @EncryptionAlgorithm int algorithm, int keyLength, boolean isChild) {
537             // Construct EncryptionTransform and validate proposed algorithm during
538             // construction.
539             EncryptionTransform encryptionTransform = new EncryptionTransform(algorithm, keyLength);
540 
541             // For Child SA algorithm, check if that is supported by IPsec
542             if (SdkLevel.isAtLeastS()
543                     && isChild
544                     && !ChildSaProposal.getSupportedEncryptionAlgorithms().contains(algorithm)) {
545                 throw new IllegalArgumentException("Unsupported encryption algorithm " + algorithm);
546             }
547 
548             // Validate that only one mode encryption algorithm has been proposed.
549             boolean isCurrentAead = isAead(algorithm);
550             if (!mProposedEncryptAlgos.isEmpty() && (mHasAead ^ isCurrentAead)) {
551                 throw new IllegalArgumentException(
552                         ERROR_TAG
553                                 + "Proposal cannot has both normal ciphers "
554                                 + "and combined-mode ciphers.");
555             }
556             if (isCurrentAead) mHasAead = true;
557 
558             mProposedEncryptAlgos.add(encryptionTransform);
559         }
560 
validateAndAddIntegrityAlgo( @ntegrityAlgorithm int algorithm, boolean isChild)561         protected void validateAndAddIntegrityAlgo(
562                 @IntegrityAlgorithm int algorithm, boolean isChild) {
563             // For Child SA algorithm, check if that is supported by IPsec
564             if (SdkLevel.isAtLeastS()
565                     && isChild
566                     && !ChildSaProposal.getSupportedIntegrityAlgorithms().contains(algorithm)) {
567                 throw new IllegalArgumentException("Unsupported integrity algorithm " + algorithm);
568             }
569 
570             // Construct IntegrityTransform and validate proposed algorithm during
571             // construction.
572             mProposedIntegrityAlgos.add(new IntegrityTransform(algorithm));
573         }
574 
addDh(@hGroup int dhGroup)575         protected void addDh(@DhGroup int dhGroup) {
576             // Construct DhGroupTransform and validate proposed dhGroup during
577             // construction.
578             mProposedDhGroups.add(new DhGroupTransform(dhGroup));
579         }
580     }
581 
582     /** @hide */
583     @Override
584     @NonNull
toString()585     public String toString() {
586         StringBuilder sb = new StringBuilder();
587 
588         sb.append(IkePayload.getProtocolTypeString(mProtocolId)).append(": ");
589 
590         int len = getAllTransforms().length;
591         for (int i = 0; i < len; i++) {
592             sb.append(getAllTransforms()[i].toString());
593             if (i < len - 1) sb.append("|");
594         }
595 
596         return sb.toString();
597     }
598 
599     @Override
hashCode()600     public int hashCode() {
601         return Objects.hash(
602                 mProtocolId,
603                 Arrays.hashCode(mEncryptionAlgorithms),
604                 Arrays.hashCode(mIntegrityAlgorithms),
605                 Arrays.hashCode(mDhGroups));
606     }
607 
608     @Override
equals(Object o)609     public boolean equals(Object o) {
610         if (!(o instanceof SaProposal)) {
611             return false;
612         }
613 
614         SaProposal other = (SaProposal) o;
615 
616         return mProtocolId == other.mProtocolId
617                 && Arrays.equals(mEncryptionAlgorithms, other.mEncryptionAlgorithms)
618                 && Arrays.equals(mIntegrityAlgorithms, other.mIntegrityAlgorithms)
619                 && Arrays.equals(mDhGroups, other.mDhGroups);
620     }
621 
622     /** @hide */
getKeySet(SparseArray array)623     protected static Set<Integer> getKeySet(SparseArray array) {
624         Set<Integer> result = new HashSet<>();
625         for (int i = 0; i < array.size(); i++) {
626             result.add(array.keyAt(i));
627         }
628 
629         return result;
630     }
631 
632     /** Returns supported DH groups for IKE and Child SA proposal negotiation. */
633     @NonNull
getSupportedDhGroups()634     public static Set<Integer> getSupportedDhGroups() {
635         final Set<Integer> supportedSet = new HashSet<>();
636         for (int dh : getKeySet(SUPPORTED_DH_GROUP_TO_STR)) {
637             if (dh == DH_GROUP_CURVE_25519 && !SdkLevel.isAtLeastS()) {
638                 continue;
639             } else {
640                 supportedSet.add(dh);
641             }
642         }
643         return supportedSet;
644     }
645 
646     /**
647      * Return the encryption algorithm as a String.
648      *
649      * @hide
650      */
getEncryptionAlgorithmString(int algorithm)651     public static String getEncryptionAlgorithmString(int algorithm) {
652         if (SUPPORTED_ENCRYPTION_ALGO_TO_STR.contains(algorithm)) {
653             return SUPPORTED_ENCRYPTION_ALGO_TO_STR.get(algorithm);
654         }
655         return "ENC_Unknown_" + algorithm;
656     }
657 
658     /**
659      * Return the pseudorandom function as a String.
660      *
661      * @hide
662      */
getPseudorandomFunctionString(int algorithm)663     public static String getPseudorandomFunctionString(int algorithm) {
664         if (SUPPORTED_PRF_TO_STR.contains(algorithm)) {
665             return SUPPORTED_PRF_TO_STR.get(algorithm);
666         }
667         return "PRF_Unknown_" + algorithm;
668     }
669 
670     /**
671      * Return the integrity algorithm as a String.
672      *
673      * @hide
674      */
getIntegrityAlgorithmString(int algorithm)675     public static String getIntegrityAlgorithmString(int algorithm) {
676         if (SUPPORTED_INTEGRITY_ALGO_TO_STR.contains(algorithm)) {
677             return SUPPORTED_INTEGRITY_ALGO_TO_STR.get(algorithm);
678         }
679         return "AUTH_Unknown_" + algorithm;
680     }
681 
682     /**
683      * Return Diffie-Hellman Group as a String.
684      *
685      * @hide
686      */
getDhGroupString(int dhGroup)687     public static String getDhGroupString(int dhGroup) {
688         if (SUPPORTED_DH_GROUP_TO_STR.contains(dhGroup)) {
689             return SUPPORTED_DH_GROUP_TO_STR.get(dhGroup);
690         }
691         return "DH_Unknown_" + dhGroup;
692     }
693 }
694