Merge "Update MODP groups for IKEv2/IPsec VPNs" into rvc-dev

services/core/java/com/android/server/connectivity/VpnIkev2Utils.java

@@ -17,7 +17,6 @@
 package com.android.server.connectivity;
 
 import static android.net.ConnectivityManager.NetworkCallback;
-import static android.net.ipsec.ike.SaProposal.DH_GROUP_1024_BIT_MODP;
 import static android.net.ipsec.ike.SaProposal.DH_GROUP_2048_BIT_MODP;
 import static android.net.ipsec.ike.SaProposal.ENCRYPTION_ALGORITHM_AES_CBC;
 import static android.net.ipsec.ike.SaProposal.ENCRYPTION_ALGORITHM_AES_GCM_12;
@@ -85,6 +84,12 @@ import java.util.List;
 public class VpnIkev2Utils {
     private static final String TAG = VpnIkev2Utils.class.getSimpleName();
 
+    // TODO: Use IKE library exposed constants when @SystemApi is updated.
+    /** IANA-defined 3072 group for use in IKEv2 */
+    private static final int DH_GROUP_3072_BIT_MODP = 15;
+    /** IANA-defined 4096 group for use in IKEv2 */
+    private static final int DH_GROUP_4096_BIT_MODP = 16;
+
     static IkeSessionParams buildIkeSessionParams(
             @NonNull Context context, @NonNull Ikev2VpnProfile profile, @NonNull Network network) {
         final IkeIdentification localId = parseIkeIdentification(profile.getUserIdentity());
@@ -177,8 +182,9 @@ public class VpnIkev2Utils {
 
         // Add dh, prf for both builders
         for (final IkeSaProposal.Builder builder : Arrays.asList(normalModeBuilder, aeadBuilder)) {
+            builder.addDhGroup(DH_GROUP_4096_BIT_MODP);
+            builder.addDhGroup(DH_GROUP_3072_BIT_MODP);
             builder.addDhGroup(DH_GROUP_2048_BIT_MODP);
-            builder.addDhGroup(DH_GROUP_1024_BIT_MODP);
             builder.addPseudorandomFunction(PSEUDORANDOM_FUNCTION_AES128_XCBC);
             builder.addPseudorandomFunction(PSEUDORANDOM_FUNCTION_HMAC_SHA1);
         }