diff options
| author | evitayan <evitayan@google.com> | 2020-05-19 21:59:15 -0700 |
|---|---|---|
| committer | evitayan <evitayan@google.com> | 2020-05-26 17:38:11 -0700 |
| commit | 3cd2851d8df4452f09edb32b3fc2fb07cbcc226a (patch) | |
| tree | 262c5caad1d79459c2334b3a774c4b40229a074e | |
| parent | 9dbc4348a97db2076e6841669525d733bbacc287 (diff) | |
| download | ike-3cd2851d8df4452f09edb32b3fc2fb07cbcc226a.tar.gz | |
Do not do NAT detection when using IPv6 address
Bug: 157512908
Test: atest CtsIkeTestCases (new test added)
Test: atest FrameworksIkeTests
Change-Id: I0c43574f53909650a3c00ae1e205e59088637607
| -rw-r--r-- | src/java/com/android/internal/net/ipsec/ike/IkeSessionStateMachine.java | 50 |
1 files changed, 31 insertions, 19 deletions
diff --git a/src/java/com/android/internal/net/ipsec/ike/IkeSessionStateMachine.java b/src/java/com/android/internal/net/ipsec/ike/IkeSessionStateMachine.java index ea496f81..3592ffb4 100644 --- a/src/java/com/android/internal/net/ipsec/ike/IkeSessionStateMachine.java +++ b/src/java/com/android/internal/net/ipsec/ike/IkeSessionStateMachine.java @@ -2891,12 +2891,8 @@ public class IkeSessionStateMachine extends AbstractSessionStateMachine { if (respSaPayload == null || respKePayload == null - || natSourcePayloads.isEmpty() - || natDestPayload == null || !hasNoncePayload) { - throw new InvalidSyntaxException( - "SA, KE, Nonce, Notify-NAT-Detection-Source, or" - + " Notify-NAT-Detection-Destination payload missing."); + throw new InvalidSyntaxException("SA, KE, or Nonce payload missing."); } IkeSaPayload reqSaPayload = @@ -2924,6 +2920,20 @@ public class IkeSessionStateMachine extends AbstractSessionStateMachine { throw new InvalidSyntaxException("Received KE payload with mismatched DH group."); } + if (mRemoteAddress instanceof Inet4Address) { + handleNatDetection(respMsg, natSourcePayloads, natDestPayload); + } + } + + private void handleNatDetection( + IkeMessage respMsg, + List<IkeNotifyPayload> natSourcePayloads, + IkeNotifyPayload natDestPayload) + throws InvalidSyntaxException, IOException { + if (natSourcePayloads.isEmpty() || natDestPayload == null) { + throw new InvalidSyntaxException("NAT detection notifications missing."); + } + // NAT detection long initIkeSpi = respMsg.ikeHeader.ikeInitiatorSpi; long respIkeSpi = respMsg.ikeHeader.ikeResponderSpi; @@ -4676,21 +4686,23 @@ public class IkeSessionStateMachine extends AbstractSessionStateMachine { selectedDhGroup, IkeSaPayload.createInitialIkeSaPayload(saProposals), randomFactory); + if (localAddr instanceof Inet4Address) { + // Though RFC says Notify-NAT payload is "just after the Ni and Nr payloads (before + // the optional CERTREQ payload)", it also says recipient MUST NOT reject " messages + // in which the payloads were not in the "right" order" due to the lack of clarity + // of the payload order. + payloadList.add( + new IkeNotifyPayload( + NOTIFY_TYPE_NAT_DETECTION_SOURCE_IP, + IkeNotifyPayload.generateNatDetectionData( + initIkeSpi, respIkeSpi, localAddr, localPort))); + payloadList.add( + new IkeNotifyPayload( + NOTIFY_TYPE_NAT_DETECTION_DESTINATION_IP, + IkeNotifyPayload.generateNatDetectionData( + initIkeSpi, respIkeSpi, remoteAddr, remotePort))); + } - // Though RFC says Notify-NAT payload is "just after the Ni and Nr payloads (before the - // optional CERTREQ payload)", it also says recipient MUST NOT reject " messages in - // which the payloads were not in the "right" order" due to the lack of clarity of the - // payload order. - payloadList.add( - new IkeNotifyPayload( - NOTIFY_TYPE_NAT_DETECTION_SOURCE_IP, - IkeNotifyPayload.generateNatDetectionData( - initIkeSpi, respIkeSpi, localAddr, localPort))); - payloadList.add( - new IkeNotifyPayload( - NOTIFY_TYPE_NAT_DETECTION_DESTINATION_IP, - IkeNotifyPayload.generateNatDetectionData( - initIkeSpi, respIkeSpi, remoteAddr, remotePort))); return payloadList; } |