Support new IpSecAlgorithm AUTH_AES_CMAC

Bug: 161716062 Test: IpSecAlgorithmTest, verified with CTS Change-Id: Ideaf4225bd851fad8c8072505c6ad99d85ba616e
2021-02-08 18:23:44 -08:00
parent bf16b6d399
commit bd0b8751e6
4 changed files with 29 additions and 1 deletions
--- a/core/api/current.txt
+++ b/core/api/current.txt
@@ -25076,6 +25076,7 @@ package android.net {
    method @NonNull public static java.util.Set<java.lang.String> getSupportedAlgorithms();
    method public int getTruncationLengthBits();
    method public void writeToParcel(android.os.Parcel, int);
+    field public static final String AUTH_AES_CMAC = "cmac(aes)";
    field public static final String AUTH_AES_XCBC = "xcbc(aes)";
    field public static final String AUTH_CRYPT_AES_GCM = "rfc4106(gcm(aes))";
    field public static final String AUTH_CRYPT_CHACHA20_POLY1305 = "rfc7539esp(chacha20,poly1305)";
--- a/core/java/android/net/IpSecAlgorithm.java
+++ b/core/java/android/net/IpSecAlgorithm.java
@@ -145,6 +145,25 @@ public final class IpSecAlgorithm implements Parcelable {
    // to be available on devices first shipped with Android 12 or later.
    public static final String AUTH_AES_XCBC = "xcbc(aes)";

+    /**
+     * AES-CMAC Authentication/Integrity Algorithm.
+     *
+     * <p>Keys for this algorithm must be 128 bits in length.
+     *
+     * <p>The only valid truncation length is 96 bits.
+     *
+     * <p>This algorithm may be available on the device. Caller MUST check if it is supported before
+     * using it by calling {@link #getSupportedAlgorithms()} and checking if this algorithm is
+     * included in the returned algorithm set. The returned algorithm set will not change unless the
+     * device is rebooted. {@link IllegalArgumentException} will be thrown if this algorithm is
+     * requested on an unsupported device.
+     *
+     * <p>@see {@link #getSupportedAlgorithms()}
+     */
+    // This algorithm may be available on devices released before Android 12, and is guaranteed
+    // to be available on devices first shipped with Android 12 or later.
+    public static final String AUTH_AES_CMAC = "cmac(aes)";
+
    /**
     * AES-GCM Authentication/Integrity + Encryption/Ciphering Algorithm.
     *
@@ -191,6 +210,7 @@ public final class IpSecAlgorithm implements Parcelable {
        AUTH_HMAC_SHA384,
        AUTH_HMAC_SHA512,
        AUTH_AES_XCBC,
+        AUTH_AES_CMAC,
        AUTH_CRYPT_AES_GCM,
        AUTH_CRYPT_CHACHA20_POLY1305
    })
@@ -215,6 +235,7 @@ public final class IpSecAlgorithm implements Parcelable {
        // STOPSHIP: b/170424293 Use Build.VERSION_CODES.S when it is defined
        ALGO_TO_REQUIRED_FIRST_SDK.put(CRYPT_AES_CTR, Build.VERSION_CODES.R + 1);
        ALGO_TO_REQUIRED_FIRST_SDK.put(AUTH_AES_XCBC, Build.VERSION_CODES.R + 1);
+        ALGO_TO_REQUIRED_FIRST_SDK.put(AUTH_AES_CMAC, Build.VERSION_CODES.R + 1);
        ALGO_TO_REQUIRED_FIRST_SDK.put(AUTH_CRYPT_CHACHA20_POLY1305, Build.VERSION_CODES.R + 1);
    }

@@ -383,6 +404,10 @@ public final class IpSecAlgorithm implements Parcelable {
                isValidLen = keyLen == 128;
                isValidTruncLen = truncLen == 96;
                break;
+            case AUTH_AES_CMAC:
+                isValidLen = keyLen == 128;
+                isValidTruncLen = truncLen == 96;
+                break;
            case AUTH_CRYPT_AES_GCM:
                // The keying material for GCM is a key plus a 32-bit salt
                isValidLen = keyLen == 128 + 32 || keyLen == 192 + 32 || keyLen == 256 + 32;
@@ -416,6 +441,7 @@ public final class IpSecAlgorithm implements Parcelable {
            case AUTH_HMAC_SHA384:
            case AUTH_HMAC_SHA512:
            case AUTH_AES_XCBC:
+            case AUTH_AES_CMAC:
                return true;
            default:
                return false;
--- a/core/res/res/values/config.xml
+++ b/core/res/res/values/config.xml
@@ -1691,7 +1691,7 @@
             * SDK level 28 makes the following algorithms mandatory : "cbc(aes)", "hmac(md5)",
               "hmac(sha1)", "hmac(sha256)", "hmac(sha384)", "hmac(sha512)", "rfc4106(gcm(aes))"
             * SDK level 31 makes the following algorithms mandatory : "rfc3686(ctr(aes))",
-               "xcbc(aes)", "rfc7539esp(chacha20,poly1305)"
+               "xcbc(aes)", "cmac(aes)", "rfc7539esp(chacha20,poly1305)"
     -->
    <string-array name="config_optionalIpSecAlgorithms" translatable="false">
        <!-- Add algorithm here -->
--- a/tests/net/java/android/net/IpSecAlgorithmTest.java
+++ b/tests/net/java/android/net/IpSecAlgorithmTest.java
@@ -129,6 +129,7 @@ public class IpSecAlgorithmTest {
            checkCryptKeyLenValidation(IpSecAlgorithm.CRYPT_AES_CTR, len);
        }
        checkAuthKeyAndTruncLenValidation(IpSecAlgorithm.AUTH_AES_XCBC, 128, 96);
+        checkAuthKeyAndTruncLenValidation(IpSecAlgorithm.AUTH_AES_CMAC, 128, 96);
        checkAuthKeyAndTruncLenValidation(IpSecAlgorithm.AUTH_CRYPT_CHACHA20_POLY1305, 288, 128);
    }