From 3cd2851d8df4452f09edb32b3fc2fb07cbcc226a Mon Sep 17 00:00:00 2001 From: evitayan Date: Tue, 19 May 2020 21:59:15 -0700 Subject: Do not do NAT detection when using IPv6 address Bug: 157512908 Test: atest CtsIkeTestCases (new test added) Test: atest FrameworksIkeTests Change-Id: I0c43574f53909650a3c00ae1e205e59088637607 --- .../net/ipsec/ike/IkeSessionStateMachine.java | 50 ++++++++++++++-------- 1 file changed, 31 insertions(+), 19 deletions(-) diff --git a/src/java/com/android/internal/net/ipsec/ike/IkeSessionStateMachine.java b/src/java/com/android/internal/net/ipsec/ike/IkeSessionStateMachine.java index ea496f81..3592ffb4 100644 --- a/src/java/com/android/internal/net/ipsec/ike/IkeSessionStateMachine.java +++ b/src/java/com/android/internal/net/ipsec/ike/IkeSessionStateMachine.java @@ -2891,12 +2891,8 @@ public class IkeSessionStateMachine extends AbstractSessionStateMachine { if (respSaPayload == null || respKePayload == null - || natSourcePayloads.isEmpty() - || natDestPayload == null || !hasNoncePayload) { - throw new InvalidSyntaxException( - "SA, KE, Nonce, Notify-NAT-Detection-Source, or" - + " Notify-NAT-Detection-Destination payload missing."); + throw new InvalidSyntaxException("SA, KE, or Nonce payload missing."); } IkeSaPayload reqSaPayload = @@ -2924,6 +2920,20 @@ public class IkeSessionStateMachine extends AbstractSessionStateMachine { throw new InvalidSyntaxException("Received KE payload with mismatched DH group."); } + if (mRemoteAddress instanceof Inet4Address) { + handleNatDetection(respMsg, natSourcePayloads, natDestPayload); + } + } + + private void handleNatDetection( + IkeMessage respMsg, + List natSourcePayloads, + IkeNotifyPayload natDestPayload) + throws InvalidSyntaxException, IOException { + if (natSourcePayloads.isEmpty() || natDestPayload == null) { + throw new InvalidSyntaxException("NAT detection notifications missing."); + } + // NAT detection long initIkeSpi = respMsg.ikeHeader.ikeInitiatorSpi; long respIkeSpi = respMsg.ikeHeader.ikeResponderSpi; @@ -4676,21 +4686,23 @@ public class IkeSessionStateMachine extends AbstractSessionStateMachine { selectedDhGroup, IkeSaPayload.createInitialIkeSaPayload(saProposals), randomFactory); + if (localAddr instanceof Inet4Address) { + // Though RFC says Notify-NAT payload is "just after the Ni and Nr payloads (before + // the optional CERTREQ payload)", it also says recipient MUST NOT reject " messages + // in which the payloads were not in the "right" order" due to the lack of clarity + // of the payload order. + payloadList.add( + new IkeNotifyPayload( + NOTIFY_TYPE_NAT_DETECTION_SOURCE_IP, + IkeNotifyPayload.generateNatDetectionData( + initIkeSpi, respIkeSpi, localAddr, localPort))); + payloadList.add( + new IkeNotifyPayload( + NOTIFY_TYPE_NAT_DETECTION_DESTINATION_IP, + IkeNotifyPayload.generateNatDetectionData( + initIkeSpi, respIkeSpi, remoteAddr, remotePort))); + } - // Though RFC says Notify-NAT payload is "just after the Ni and Nr payloads (before the - // optional CERTREQ payload)", it also says recipient MUST NOT reject " messages in - // which the payloads were not in the "right" order" due to the lack of clarity of the - // payload order. - payloadList.add( - new IkeNotifyPayload( - NOTIFY_TYPE_NAT_DETECTION_SOURCE_IP, - IkeNotifyPayload.generateNatDetectionData( - initIkeSpi, respIkeSpi, localAddr, localPort))); - payloadList.add( - new IkeNotifyPayload( - NOTIFY_TYPE_NAT_DETECTION_DESTINATION_IP, - IkeNotifyPayload.generateNatDetectionData( - initIkeSpi, respIkeSpi, remoteAddr, remotePort))); return payloadList; } -- cgit v1.2.3