diff options
| author | Yan Yan <evitayan@google.com> | 2020-05-27 18:14:38 +0000 |
|---|---|---|
| committer | Gerrit Code Review <noreply-gerritcodereview@google.com> | 2020-05-27 18:14:38 +0000 |
| commit | 0ae59f085b7e5f718bc033a5621eee5a99a48bf9 (patch) | |
| tree | 1e323e9f3e4c248818245dc3da05816d98641a1e | |
| parent | 72d2d83205cc0a26cb0e2a182877228bb27256e2 (diff) | |
| parent | 3cd2851d8df4452f09edb32b3fc2fb07cbcc226a (diff) | |
| download | ike-main.tar.gz | |
| -rw-r--r-- | src/java/com/android/internal/net/ipsec/ike/IkeSessionStateMachine.java | 50 |
1 files changed, 31 insertions, 19 deletions
diff --git a/src/java/com/android/internal/net/ipsec/ike/IkeSessionStateMachine.java b/src/java/com/android/internal/net/ipsec/ike/IkeSessionStateMachine.java index e86bc841..1a3bf18b 100644 --- a/src/java/com/android/internal/net/ipsec/ike/IkeSessionStateMachine.java +++ b/src/java/com/android/internal/net/ipsec/ike/IkeSessionStateMachine.java @@ -2899,12 +2899,8 @@ public class IkeSessionStateMachine extends AbstractSessionStateMachine { if (respSaPayload == null || respKePayload == null - || natSourcePayloads.isEmpty() - || natDestPayload == null || !hasNoncePayload) { - throw new InvalidSyntaxException( - "SA, KE, Nonce, Notify-NAT-Detection-Source, or" - + " Notify-NAT-Detection-Destination payload missing."); + throw new InvalidSyntaxException("SA, KE, or Nonce payload missing."); } IkeSaPayload reqSaPayload = @@ -2932,6 +2928,20 @@ public class IkeSessionStateMachine extends AbstractSessionStateMachine { throw new InvalidSyntaxException("Received KE payload with mismatched DH group."); } + if (mRemoteAddress instanceof Inet4Address) { + handleNatDetection(respMsg, natSourcePayloads, natDestPayload); + } + } + + private void handleNatDetection( + IkeMessage respMsg, + List<IkeNotifyPayload> natSourcePayloads, + IkeNotifyPayload natDestPayload) + throws InvalidSyntaxException, IOException { + if (natSourcePayloads.isEmpty() || natDestPayload == null) { + throw new InvalidSyntaxException("NAT detection notifications missing."); + } + // NAT detection long initIkeSpi = respMsg.ikeHeader.ikeInitiatorSpi; long respIkeSpi = respMsg.ikeHeader.ikeResponderSpi; @@ -4656,21 +4666,23 @@ public class IkeSessionStateMachine extends AbstractSessionStateMachine { selectedDhGroup, IkeSaPayload.createInitialIkeSaPayload(saProposals), randomFactory); + if (localAddr instanceof Inet4Address) { + // Though RFC says Notify-NAT payload is "just after the Ni and Nr payloads (before + // the optional CERTREQ payload)", it also says recipient MUST NOT reject " messages + // in which the payloads were not in the "right" order" due to the lack of clarity + // of the payload order. + payloadList.add( + new IkeNotifyPayload( + NOTIFY_TYPE_NAT_DETECTION_SOURCE_IP, + IkeNotifyPayload.generateNatDetectionData( + initIkeSpi, respIkeSpi, localAddr, localPort))); + payloadList.add( + new IkeNotifyPayload( + NOTIFY_TYPE_NAT_DETECTION_DESTINATION_IP, + IkeNotifyPayload.generateNatDetectionData( + initIkeSpi, respIkeSpi, remoteAddr, remotePort))); + } - // Though RFC says Notify-NAT payload is "just after the Ni and Nr payloads (before the - // optional CERTREQ payload)", it also says recipient MUST NOT reject " messages in - // which the payloads were not in the "right" order" due to the lack of clarity of the - // payload order. - payloadList.add( - new IkeNotifyPayload( - NOTIFY_TYPE_NAT_DETECTION_SOURCE_IP, - IkeNotifyPayload.generateNatDetectionData( - initIkeSpi, respIkeSpi, localAddr, localPort))); - payloadList.add( - new IkeNotifyPayload( - NOTIFY_TYPE_NAT_DETECTION_DESTINATION_IP, - IkeNotifyPayload.generateNatDetectionData( - initIkeSpi, respIkeSpi, remoteAddr, remotePort))); return payloadList; } |