1 /* 2 * Copyright (C) 2019 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package com.android.internal.net.ipsec.ike.message; 18 19 import android.net.ipsec.ike.IkeTrafficSelector; 20 import android.net.ipsec.ike.exceptions.IkeProtocolException; 21 22 import com.android.internal.net.ipsec.ike.exceptions.InvalidSyntaxException; 23 24 import java.nio.ByteBuffer; 25 26 /** 27 * IkeTsPayload represents an Traffic Selector Initiator Payload or an Traffic Selector Responder 28 * Payload. 29 * 30 * <p>Traffic Selector Initiator Payload and Traffic Selector Responder Payload have same format but 31 * different payload types. They describe the address ranges and port ranges of Child SA initiator 32 * and Child SA responder. 33 * 34 * @see <a href="https://tools.ietf.org/html/rfc7296#section-3.13">RFC 7296, Internet Key Exchange 35 * Protocol Version 2 (IKEv2)</a> 36 */ 37 public final class IkeTsPayload extends IkePayload { 38 // Length of Traffic Selector Payload header. 39 private static final int TS_HEADER_LEN = 4; 40 // Length of reserved field in octets. 41 private static final int TS_HEADER_RESERVED_LEN = 3; 42 43 /** Number of Traffic Selectors */ 44 public final int numTs; 45 /** Array of Traffic Selectors */ 46 public final IkeTrafficSelector[] trafficSelectors; 47 IkeTsPayload(boolean critical, byte[] payloadBody, boolean isInitiator)48 IkeTsPayload(boolean critical, byte[] payloadBody, boolean isInitiator) 49 throws IkeProtocolException { 50 super((isInitiator ? PAYLOAD_TYPE_TS_INITIATOR : PAYLOAD_TYPE_TS_RESPONDER), critical); 51 52 ByteBuffer inputBuffer = ByteBuffer.wrap(payloadBody); 53 numTs = Byte.toUnsignedInt(inputBuffer.get()); 54 if (numTs == 0) { 55 throw new InvalidSyntaxException("Cannot find Traffic Selector in TS payload."); 56 } 57 58 // Skip RESERVED byte 59 inputBuffer.get(new byte[TS_HEADER_RESERVED_LEN]); 60 61 // Decode Traffic Selectors 62 byte[] tsBytes = new byte[inputBuffer.remaining()]; 63 inputBuffer.get(tsBytes); 64 trafficSelectors = IkeTrafficSelector.decodeIkeTrafficSelectors(numTs, tsBytes); 65 } 66 67 /** 68 * Construct an instance of IkeTsPayload for building an outbound IKE message. 69 * 70 * @param isInitiator indicates if this payload is for a Child SA initiator or responder. 71 * @param ikeTrafficSelectors the array of included traffic selectors. 72 */ IkeTsPayload(boolean isInitiator, IkeTrafficSelector[] ikeTrafficSelectors)73 public IkeTsPayload(boolean isInitiator, IkeTrafficSelector[] ikeTrafficSelectors) { 74 super((isInitiator ? PAYLOAD_TYPE_TS_INITIATOR : PAYLOAD_TYPE_TS_RESPONDER), false); 75 76 if (ikeTrafficSelectors == null || ikeTrafficSelectors.length == 0) { 77 throw new IllegalArgumentException( 78 "TS Payload requires at least one Traffic Selector."); 79 } 80 81 numTs = ikeTrafficSelectors.length; 82 trafficSelectors = ikeTrafficSelectors; 83 } 84 85 /** 86 * Check if this TS payload contains the all TS in the provided TS payload. 87 * 88 * <p>A TS response cannot be narrower than a TS request. When doing rekey, the newly negotiated 89 * TS cannot be narrower than old negotiated TS. 90 * 91 * <p>This method will be used to (1) validate that an inbound response is subset of a locally 92 * generated request; and (2) validate that an inbound rekey request/response is superset of 93 * current negotiated TS. 94 * 95 * @param tsPayload the other TS payload to validate 96 * @return true if current TS Payload contains all TS in the input tsPayload 97 */ contains(IkeTsPayload tsPayload)98 public boolean contains(IkeTsPayload tsPayload) { 99 subTsLoop: 100 for (IkeTrafficSelector subTs : tsPayload.trafficSelectors) { 101 for (IkeTrafficSelector superTs : this.trafficSelectors) { 102 if (superTs.contains(subTs)) { 103 continue subTsLoop; 104 } 105 } 106 return false; 107 } 108 return true; 109 } 110 111 /** 112 * Encode Traffic Selector Payload to ByteBuffer. 113 * 114 * @param nextPayload type of payload that follows this payload. 115 * @param byteBuffer destination ByteBuffer that stores encoded payload. 116 */ 117 @Override encodeToByteBuffer(@ayloadType int nextPayload, ByteBuffer byteBuffer)118 protected void encodeToByteBuffer(@PayloadType int nextPayload, ByteBuffer byteBuffer) { 119 encodePayloadHeaderToByteBuffer(nextPayload, getPayloadLength(), byteBuffer); 120 121 byteBuffer.put((byte) numTs).put(new byte[TS_HEADER_RESERVED_LEN]); 122 for (IkeTrafficSelector ts : trafficSelectors) { 123 ts.encodeToByteBuffer(byteBuffer); 124 } 125 } 126 127 /** 128 * Get entire payload length. 129 * 130 * @return entire payload length. 131 */ 132 @Override getPayloadLength()133 protected int getPayloadLength() { 134 int len = GENERIC_HEADER_LENGTH + TS_HEADER_LEN; 135 for (IkeTrafficSelector ts : trafficSelectors) { 136 len += ts.selectorLength; 137 } 138 139 return len; 140 } 141 142 /** 143 * Return the payload type as a String. 144 * 145 * @return the payload type as a String. 146 */ 147 @Override getTypeString()148 public String getTypeString() { 149 switch (payloadType) { 150 case PAYLOAD_TYPE_TS_INITIATOR: 151 return "TSi"; 152 case PAYLOAD_TYPE_TS_RESPONDER: 153 return "TSr"; 154 default: 155 // Won't reach here. 156 throw new IllegalArgumentException( 157 "Invalid Payload Type for Traffic Selector Payload."); 158 } 159 } 160 } 161