Merge changes from topic 'ipsec-api-tweaks'
* changes: Add FileDescriptor Versions of applyTransportModeTransform() IpSecManager and IpSecAlgorithm API Tweaks
This commit is contained in:
nharold
@@ -23884,22 +23884,25 @@ package android.net {
|
||||
method public java.lang.String getName();
|
||||
method public int getTruncationLengthBits();
|
||||
method public void writeToParcel(android.os.Parcel, int);
|
||||
field public static final java.lang.String ALGO_AUTH_HMAC_MD5 = "hmac(md5)";
|
||||
field public static final java.lang.String ALGO_AUTH_HMAC_SHA1 = "hmac(sha1)";
|
||||
field public static final java.lang.String ALGO_AUTH_HMAC_SHA256 = "hmac(sha256)";
|
||||
field public static final java.lang.String ALGO_AUTH_HMAC_SHA384 = "hmac(sha384)";
|
||||
field public static final java.lang.String ALGO_AUTH_HMAC_SHA512 = "hmac(sha512)";
|
||||
field public static final java.lang.String ALGO_CRYPT_AES_CBC = "cbc(aes)";
|
||||
field public static final java.lang.String AUTH_HMAC_MD5 = "hmac(md5)";
|
||||
field public static final java.lang.String AUTH_HMAC_SHA1 = "hmac(sha1)";
|
||||
field public static final java.lang.String AUTH_HMAC_SHA256 = "hmac(sha256)";
|
||||
field public static final java.lang.String AUTH_HMAC_SHA384 = "hmac(sha384)";
|
||||
field public static final java.lang.String AUTH_HMAC_SHA512 = "hmac(sha512)";
|
||||
field public static final android.os.Parcelable.Creator<android.net.IpSecAlgorithm> CREATOR;
|
||||
field public static final java.lang.String CRYPT_AES_CBC = "cbc(aes)";
|
||||
}
|
||||
|
||||
public final class IpSecManager {
|
||||
method public void applyTransportModeTransform(java.net.Socket, android.net.IpSecTransform) throws java.io.IOException;
|
||||
method public void applyTransportModeTransform(java.net.DatagramSocket, android.net.IpSecTransform) throws java.io.IOException;
|
||||
method public void applyTransportModeTransform(java.io.FileDescriptor, android.net.IpSecTransform) throws java.io.IOException;
|
||||
method public android.net.IpSecManager.UdpEncapsulationSocket openUdpEncapsulationSocket(int) throws java.io.IOException, android.net.IpSecManager.ResourceUnavailableException;
|
||||
method public android.net.IpSecManager.UdpEncapsulationSocket openUdpEncapsulationSocket() throws java.io.IOException, android.net.IpSecManager.ResourceUnavailableException;
|
||||
method public void removeTransportModeTransform(java.net.Socket, android.net.IpSecTransform);
|
||||
method public void removeTransportModeTransform(java.net.DatagramSocket, android.net.IpSecTransform);
|
||||
method public void removeTransportModeTransform(java.io.FileDescriptor, android.net.IpSecTransform);
|
||||
method public android.net.IpSecManager.SecurityParameterIndex reserveSecurityParameterIndex(int, java.net.InetAddress) throws android.net.IpSecManager.ResourceUnavailableException;
|
||||
method public android.net.IpSecManager.SecurityParameterIndex reserveSecurityParameterIndex(int, java.net.InetAddress, int) throws android.net.IpSecManager.ResourceUnavailableException, android.net.IpSecManager.SpiUnavailableException;
|
||||
field public static final int INVALID_SECURITY_PARAMETER_INDEX = 0; // 0x0
|
||||
}
|
||||
|
||||
@@ -25722,22 +25722,25 @@ package android.net {
|
||||
method public java.lang.String getName();
|
||||
method public int getTruncationLengthBits();
|
||||
method public void writeToParcel(android.os.Parcel, int);
|
||||
field public static final java.lang.String ALGO_AUTH_HMAC_MD5 = "hmac(md5)";
|
||||
field public static final java.lang.String ALGO_AUTH_HMAC_SHA1 = "hmac(sha1)";
|
||||
field public static final java.lang.String ALGO_AUTH_HMAC_SHA256 = "hmac(sha256)";
|
||||
field public static final java.lang.String ALGO_AUTH_HMAC_SHA384 = "hmac(sha384)";
|
||||
field public static final java.lang.String ALGO_AUTH_HMAC_SHA512 = "hmac(sha512)";
|
||||
field public static final java.lang.String ALGO_CRYPT_AES_CBC = "cbc(aes)";
|
||||
field public static final java.lang.String AUTH_HMAC_MD5 = "hmac(md5)";
|
||||
field public static final java.lang.String AUTH_HMAC_SHA1 = "hmac(sha1)";
|
||||
field public static final java.lang.String AUTH_HMAC_SHA256 = "hmac(sha256)";
|
||||
field public static final java.lang.String AUTH_HMAC_SHA384 = "hmac(sha384)";
|
||||
field public static final java.lang.String AUTH_HMAC_SHA512 = "hmac(sha512)";
|
||||
field public static final android.os.Parcelable.Creator<android.net.IpSecAlgorithm> CREATOR;
|
||||
field public static final java.lang.String CRYPT_AES_CBC = "cbc(aes)";
|
||||
}
|
||||
|
||||
public final class IpSecManager {
|
||||
method public void applyTransportModeTransform(java.net.Socket, android.net.IpSecTransform) throws java.io.IOException;
|
||||
method public void applyTransportModeTransform(java.net.DatagramSocket, android.net.IpSecTransform) throws java.io.IOException;
|
||||
method public void applyTransportModeTransform(java.io.FileDescriptor, android.net.IpSecTransform) throws java.io.IOException;
|
||||
method public android.net.IpSecManager.UdpEncapsulationSocket openUdpEncapsulationSocket(int) throws java.io.IOException, android.net.IpSecManager.ResourceUnavailableException;
|
||||
method public android.net.IpSecManager.UdpEncapsulationSocket openUdpEncapsulationSocket() throws java.io.IOException, android.net.IpSecManager.ResourceUnavailableException;
|
||||
method public void removeTransportModeTransform(java.net.Socket, android.net.IpSecTransform);
|
||||
method public void removeTransportModeTransform(java.net.DatagramSocket, android.net.IpSecTransform);
|
||||
method public void removeTransportModeTransform(java.io.FileDescriptor, android.net.IpSecTransform);
|
||||
method public android.net.IpSecManager.SecurityParameterIndex reserveSecurityParameterIndex(int, java.net.InetAddress) throws android.net.IpSecManager.ResourceUnavailableException;
|
||||
method public android.net.IpSecManager.SecurityParameterIndex reserveSecurityParameterIndex(int, java.net.InetAddress, int) throws android.net.IpSecManager.ResourceUnavailableException, android.net.IpSecManager.SpiUnavailableException;
|
||||
field public static final int INVALID_SECURITY_PARAMETER_INDEX = 0; // 0x0
|
||||
}
|
||||
|
||||
@@ -23958,22 +23958,25 @@ package android.net {
|
||||
method public java.lang.String getName();
|
||||
method public int getTruncationLengthBits();
|
||||
method public void writeToParcel(android.os.Parcel, int);
|
||||
field public static final java.lang.String ALGO_AUTH_HMAC_MD5 = "hmac(md5)";
|
||||
field public static final java.lang.String ALGO_AUTH_HMAC_SHA1 = "hmac(sha1)";
|
||||
field public static final java.lang.String ALGO_AUTH_HMAC_SHA256 = "hmac(sha256)";
|
||||
field public static final java.lang.String ALGO_AUTH_HMAC_SHA384 = "hmac(sha384)";
|
||||
field public static final java.lang.String ALGO_AUTH_HMAC_SHA512 = "hmac(sha512)";
|
||||
field public static final java.lang.String ALGO_CRYPT_AES_CBC = "cbc(aes)";
|
||||
field public static final java.lang.String AUTH_HMAC_MD5 = "hmac(md5)";
|
||||
field public static final java.lang.String AUTH_HMAC_SHA1 = "hmac(sha1)";
|
||||
field public static final java.lang.String AUTH_HMAC_SHA256 = "hmac(sha256)";
|
||||
field public static final java.lang.String AUTH_HMAC_SHA384 = "hmac(sha384)";
|
||||
field public static final java.lang.String AUTH_HMAC_SHA512 = "hmac(sha512)";
|
||||
field public static final android.os.Parcelable.Creator<android.net.IpSecAlgorithm> CREATOR;
|
||||
field public static final java.lang.String CRYPT_AES_CBC = "cbc(aes)";
|
||||
}
|
||||
|
||||
public final class IpSecManager {
|
||||
method public void applyTransportModeTransform(java.net.Socket, android.net.IpSecTransform) throws java.io.IOException;
|
||||
method public void applyTransportModeTransform(java.net.DatagramSocket, android.net.IpSecTransform) throws java.io.IOException;
|
||||
method public void applyTransportModeTransform(java.io.FileDescriptor, android.net.IpSecTransform) throws java.io.IOException;
|
||||
method public android.net.IpSecManager.UdpEncapsulationSocket openUdpEncapsulationSocket(int) throws java.io.IOException, android.net.IpSecManager.ResourceUnavailableException;
|
||||
method public android.net.IpSecManager.UdpEncapsulationSocket openUdpEncapsulationSocket() throws java.io.IOException, android.net.IpSecManager.ResourceUnavailableException;
|
||||
method public void removeTransportModeTransform(java.net.Socket, android.net.IpSecTransform);
|
||||
method public void removeTransportModeTransform(java.net.DatagramSocket, android.net.IpSecTransform);
|
||||
method public void removeTransportModeTransform(java.io.FileDescriptor, android.net.IpSecTransform);
|
||||
method public android.net.IpSecManager.SecurityParameterIndex reserveSecurityParameterIndex(int, java.net.InetAddress) throws android.net.IpSecManager.ResourceUnavailableException;
|
||||
method public android.net.IpSecManager.SecurityParameterIndex reserveSecurityParameterIndex(int, java.net.InetAddress, int) throws android.net.IpSecManager.ResourceUnavailableException, android.net.IpSecManager.SpiUnavailableException;
|
||||
field public static final int INVALID_SECURITY_PARAMETER_INDEX = 0; // 0x0
|
||||
}
|
||||
|
||||
@@ -32,7 +32,7 @@ public final class IpSecAlgorithm implements Parcelable {
|
||||
*
|
||||
* <p>Valid lengths for this key are {128, 192, 256}.
|
||||
*/
|
||||
public static final String ALGO_CRYPT_AES_CBC = "cbc(aes)";
|
||||
public static final String CRYPT_AES_CBC = "cbc(aes)";
|
||||
|
||||
/**
|
||||
* MD5 HMAC Authentication/Integrity Algorithm. This algorithm is not recommended for use in new
|
||||
@@ -40,7 +40,7 @@ public final class IpSecAlgorithm implements Parcelable {
|
||||
*
|
||||
* <p>Valid truncation lengths are multiples of 8 bits from 96 to (default) 128.
|
||||
*/
|
||||
public static final String ALGO_AUTH_HMAC_MD5 = "hmac(md5)";
|
||||
public static final String AUTH_HMAC_MD5 = "hmac(md5)";
|
||||
|
||||
/**
|
||||
* SHA1 HMAC Authentication/Integrity Algorithm. This algorithm is not recommended for use in
|
||||
@@ -48,35 +48,35 @@ public final class IpSecAlgorithm implements Parcelable {
|
||||
*
|
||||
* <p>Valid truncation lengths are multiples of 8 bits from 96 to (default) 160.
|
||||
*/
|
||||
public static final String ALGO_AUTH_HMAC_SHA1 = "hmac(sha1)";
|
||||
public static final String AUTH_HMAC_SHA1 = "hmac(sha1)";
|
||||
|
||||
/**
|
||||
* SHA256 HMAC Authentication/Integrity Algorithm.
|
||||
*
|
||||
* <p>Valid truncation lengths are multiples of 8 bits from 96 to (default) 256.
|
||||
*/
|
||||
public static final String ALGO_AUTH_HMAC_SHA256 = "hmac(sha256)";
|
||||
public static final String AUTH_HMAC_SHA256 = "hmac(sha256)";
|
||||
|
||||
/**
|
||||
* SHA384 HMAC Authentication/Integrity Algorithm.
|
||||
*
|
||||
* <p>Valid truncation lengths are multiples of 8 bits from 192 to (default) 384.
|
||||
*/
|
||||
public static final String ALGO_AUTH_HMAC_SHA384 = "hmac(sha384)";
|
||||
public static final String AUTH_HMAC_SHA384 = "hmac(sha384)";
|
||||
/**
|
||||
* SHA512 HMAC Authentication/Integrity Algorithm
|
||||
*
|
||||
* <p>Valid truncation lengths are multiples of 8 bits from 256 to (default) 512.
|
||||
*/
|
||||
public static final String ALGO_AUTH_HMAC_SHA512 = "hmac(sha512)";
|
||||
public static final String AUTH_HMAC_SHA512 = "hmac(sha512)";
|
||||
|
||||
/** @hide */
|
||||
@StringDef({
|
||||
ALGO_CRYPT_AES_CBC,
|
||||
ALGO_AUTH_HMAC_MD5,
|
||||
ALGO_AUTH_HMAC_SHA1,
|
||||
ALGO_AUTH_HMAC_SHA256,
|
||||
ALGO_AUTH_HMAC_SHA512
|
||||
CRYPT_AES_CBC,
|
||||
AUTH_HMAC_MD5,
|
||||
AUTH_HMAC_SHA1,
|
||||
AUTH_HMAC_SHA256,
|
||||
AUTH_HMAC_SHA512
|
||||
})
|
||||
@Retention(RetentionPolicy.SOURCE)
|
||||
public @interface AlgorithmName {}
|
||||
@@ -164,17 +164,17 @@ public final class IpSecAlgorithm implements Parcelable {
|
||||
|
||||
private static boolean isTruncationLengthValid(String algo, int truncLenBits) {
|
||||
switch (algo) {
|
||||
case ALGO_CRYPT_AES_CBC:
|
||||
case CRYPT_AES_CBC:
|
||||
return (truncLenBits == 128 || truncLenBits == 192 || truncLenBits == 256);
|
||||
case ALGO_AUTH_HMAC_MD5:
|
||||
case AUTH_HMAC_MD5:
|
||||
return (truncLenBits >= 96 && truncLenBits <= 128);
|
||||
case ALGO_AUTH_HMAC_SHA1:
|
||||
case AUTH_HMAC_SHA1:
|
||||
return (truncLenBits >= 96 && truncLenBits <= 160);
|
||||
case ALGO_AUTH_HMAC_SHA256:
|
||||
case AUTH_HMAC_SHA256:
|
||||
return (truncLenBits >= 96 && truncLenBits <= 256);
|
||||
case ALGO_AUTH_HMAC_SHA384:
|
||||
case AUTH_HMAC_SHA384:
|
||||
return (truncLenBits >= 192 && truncLenBits <= 384);
|
||||
case ALGO_AUTH_HMAC_SHA512:
|
||||
case AUTH_HMAC_SHA512:
|
||||
return (truncLenBits >= 256 && truncLenBits <= 512);
|
||||
default:
|
||||
return false;
|
||||
|
||||
@@ -193,15 +193,44 @@ public final class IpSecManager {
|
||||
*
|
||||
* @param direction {@link IpSecTransform#DIRECTION_IN} or {@link IpSecTransform#DIRECTION_OUT}
|
||||
* @param remoteAddress address of the remote. SPIs must be unique for each remoteAddress.
|
||||
* @param requestedSpi the requested SPI, or '0' to allocate a random SPI.
|
||||
* @return the reserved SecurityParameterIndex
|
||||
* @throws ResourceUnavailableException indicating that too many SPIs are currently allocated
|
||||
* for this user
|
||||
* @throws SpiUnavailableException indicating that a particular SPI cannot be reserved
|
||||
*/
|
||||
public SecurityParameterIndex reserveSecurityParameterIndex(
|
||||
int direction, InetAddress remoteAddress)
|
||||
throws ResourceUnavailableException {
|
||||
try {
|
||||
return new SecurityParameterIndex(
|
||||
mService,
|
||||
direction,
|
||||
remoteAddress,
|
||||
IpSecManager.INVALID_SECURITY_PARAMETER_INDEX);
|
||||
} catch (SpiUnavailableException unlikely) {
|
||||
throw new ResourceUnavailableException("No SPIs available");
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Reserve an SPI for traffic bound towards the specified remote address.
|
||||
*
|
||||
* <p>If successful, this SPI is guaranteed available until released by a call to {@link
|
||||
* SecurityParameterIndex#close()}.
|
||||
*
|
||||
* @param direction {@link IpSecTransform#DIRECTION_IN} or {@link IpSecTransform#DIRECTION_OUT}
|
||||
* @param remoteAddress address of the remote. SPIs must be unique for each remoteAddress.
|
||||
* @param requestedSpi the requested SPI, or '0' to allocate a random SPI.
|
||||
* @return the reserved SecurityParameterIndex
|
||||
* @throws ResourceUnavailableException indicating that too many SPIs are currently allocated
|
||||
* for this user
|
||||
*/
|
||||
public SecurityParameterIndex reserveSecurityParameterIndex(
|
||||
int direction, InetAddress remoteAddress, int requestedSpi)
|
||||
throws SpiUnavailableException, ResourceUnavailableException {
|
||||
if (requestedSpi == IpSecManager.INVALID_SECURITY_PARAMETER_INDEX) {
|
||||
throw new IllegalArgumentException("Requested SPI must be a valid (non-zero) SPI");
|
||||
}
|
||||
return new SecurityParameterIndex(mService, direction, remoteAddress, requestedSpi);
|
||||
}
|
||||
|
||||
@@ -248,6 +277,23 @@ public final class IpSecManager {
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Apply an active Transport Mode IPsec Transform to a stream socket to perform IPsec
|
||||
* encapsulation of the traffic flowing between the socket and the remote InetAddress of that
|
||||
* transform. For security reasons, attempts to send traffic to any IP address other than the
|
||||
* address associated with that transform will throw an IOException. In addition, if the
|
||||
* IpSecTransform is later deactivated, the socket will throw an IOException on any calls to
|
||||
* send() or receive() until the transform is removed from the socket by calling {@link
|
||||
* #removeTransportModeTransform(Socket, IpSecTransform)};
|
||||
*
|
||||
* @param socket a socket file descriptor
|
||||
* @param transform an {@link IpSecTransform}, which must be an active Transport Mode transform.
|
||||
*/
|
||||
public void applyTransportModeTransform(FileDescriptor socket, IpSecTransform transform)
|
||||
throws IOException {
|
||||
applyTransportModeTransform(new ParcelFileDescriptor(socket), transform);
|
||||
}
|
||||
|
||||
/**
|
||||
* Apply an active Tunnel Mode IPsec Transform to a network, which will tunnel all traffic to
|
||||
* and from that network's interface with IPsec (applies an outer IP header and IPsec Header to
|
||||
@@ -289,6 +335,20 @@ public final class IpSecManager {
|
||||
removeTransportModeTransform(ParcelFileDescriptor.fromDatagramSocket(socket), transform);
|
||||
}
|
||||
|
||||
/**
|
||||
* Remove a transform from a given stream socket. Once removed, traffic on the socket will not
|
||||
* be encypted. This allows sockets that have been used for IPsec to be reclaimed for
|
||||
* communication in the clear in the event socket reuse is desired. This operation will succeed
|
||||
* regardless of the underlying state of a transform. If a transform is removed, communication
|
||||
* on all sockets to which that transform was applied will fail until this method is called.
|
||||
*
|
||||
* @param socket a socket file descriptor that previously had a transform applied to it.
|
||||
* @param transform the IPsec Transform that was previously applied to the given socket
|
||||
*/
|
||||
public void removeTransportModeTransform(FileDescriptor socket, IpSecTransform transform) {
|
||||
removeTransportModeTransform(new ParcelFileDescriptor(socket), transform);
|
||||
}
|
||||
|
||||
/* Call down to activate a transform */
|
||||
private void removeTransportModeTransform(ParcelFileDescriptor pfd, IpSecTransform transform) {
|
||||
try {
|
||||
|
||||
Reference in New Issue
Block a user