Note that not all aspects of IPsec are permitted by this API. Applications may create * transport mode security associations and apply them to individual sockets. Applications looking * to create a VPN should use {@link VpnService}. * * @see RFC 4301, Security Architecture for the * Internet Protocol */ @SystemService(Context.IPSEC_SERVICE) public final class IpSecManager { private static final String TAG = "IpSecManager"; /** * For direction-specific attributes of an {@link IpSecTransform}, indicates that an attribute * applies to traffic towards the host. */ public static final int DIRECTION_IN = 0; /** * For direction-specific attributes of an {@link IpSecTransform}, indicates that an attribute * applies to traffic from the host. */ public static final int DIRECTION_OUT = 1; /** @hide */ @IntDef(value = {DIRECTION_IN, DIRECTION_OUT}) @Retention(RetentionPolicy.SOURCE) public @interface PolicyDirection {} /** * The Security Parameter Index (SPI) 0 indicates an unknown or invalid index. * *
No IPsec packet may contain an SPI of 0. * * @hide */ @TestApi public static final int INVALID_SECURITY_PARAMETER_INDEX = 0; /** @hide */ public interface Status { public static final int OK = 0; public static final int RESOURCE_UNAVAILABLE = 1; public static final int SPI_UNAVAILABLE = 2; } /** @hide */ public static final int INVALID_RESOURCE_ID = -1; /** * Thrown to indicate that a requested SPI is in use. * *
The combination of remote {@code InetAddress} and SPI must be unique across all apps on * one device. If this error is encountered, a new SPI is required before a transform may be * created. This error can be avoided by calling {@link * IpSecManager#allocateSecurityParameterIndex}. */ public static final class SpiUnavailableException extends AndroidException { private final int mSpi; /** * Construct an exception indicating that a transform with the given SPI is already in use * or otherwise unavailable. * * @param msg description indicating the colliding SPI * @param spi the SPI that could not be used due to a collision */ SpiUnavailableException(String msg, int spi) { super(msg + " (spi: " + spi + ")"); mSpi = spi; } /** Get the SPI that caused a collision. */ public int getSpi() { return mSpi; } } /** * Thrown to indicate that an IPsec resource is unavailable. * *
This could apply to resources such as sockets, {@link SecurityParameterIndex}, {@link * IpSecTransform}, or other system resources. If this exception is thrown, users should release * allocated objects of the type requested. */ public static final class ResourceUnavailableException extends AndroidException { ResourceUnavailableException(String msg) { super(msg); } } private final IIpSecService mService; /** * This class represents a reserved SPI. * *
Objects of this type are used to track reserved security parameter indices. They can be * obtained by calling {@link IpSecManager#allocateSecurityParameterIndex} and must be released * by calling {@link #close()} when they are no longer needed. */ public static final class SecurityParameterIndex implements AutoCloseable { private final IIpSecService mService; private final InetAddress mDestinationAddress; private final CloseGuard mCloseGuard = CloseGuard.get(); private int mSpi = INVALID_SECURITY_PARAMETER_INDEX; private int mResourceId = INVALID_RESOURCE_ID; /** Get the underlying SPI held by this object. */ public int getSpi() { return mSpi; } /** * Release an SPI that was previously reserved. * *
Release an SPI for use by other users in the system. If a SecurityParameterIndex is * applied to an IpSecTransform, it will become unusable for future transforms but should * still be closed to ensure system resources are released. */ @Override public void close() { try { mService.releaseSecurityParameterIndex(mResourceId); mResourceId = INVALID_RESOURCE_ID; } catch (RemoteException e) { throw e.rethrowFromSystemServer(); } mCloseGuard.close(); } /** Check that the SPI was closed properly. */ @Override protected void finalize() throws Throwable { if (mCloseGuard != null) { mCloseGuard.warnIfOpen(); } close(); } private SecurityParameterIndex( @NonNull IIpSecService service, InetAddress destinationAddress, int spi) throws ResourceUnavailableException, SpiUnavailableException { mService = service; mDestinationAddress = destinationAddress; try { IpSecSpiResponse result = mService.allocateSecurityParameterIndex( destinationAddress.getHostAddress(), spi, new Binder()); if (result == null) { throw new NullPointerException("Received null response from IpSecService"); } int status = result.status; switch (status) { case Status.OK: break; case Status.RESOURCE_UNAVAILABLE: throw new ResourceUnavailableException( "No more SPIs may be allocated by this requester."); case Status.SPI_UNAVAILABLE: throw new SpiUnavailableException("Requested SPI is unavailable", spi); default: throw new RuntimeException( "Unknown status returned by IpSecService: " + status); } mSpi = result.spi; mResourceId = result.resourceId; if (mSpi == INVALID_SECURITY_PARAMETER_INDEX) { throw new RuntimeException("Invalid SPI returned by IpSecService: " + status); } if (mResourceId == INVALID_RESOURCE_ID) { throw new RuntimeException( "Invalid Resource ID returned by IpSecService: " + status); } } catch (RemoteException e) { throw e.rethrowFromSystemServer(); } mCloseGuard.open("open"); } /** @hide */ @VisibleForTesting public int getResourceId() { return mResourceId; } } /** * Reserve a random SPI for traffic bound to or from the specified destination address. * *
If successful, this SPI is guaranteed available until released by a call to {@link * SecurityParameterIndex#close()}. * * @param destinationAddress the destination address for traffic bearing the requested SPI. * For inbound traffic, the destination should be an address currently assigned on-device. * @return the reserved SecurityParameterIndex * @throws {@link #ResourceUnavailableException} indicating that too many SPIs are * currently allocated for this user */ public SecurityParameterIndex allocateSecurityParameterIndex(InetAddress destinationAddress) throws ResourceUnavailableException { try { return new SecurityParameterIndex( mService, destinationAddress, IpSecManager.INVALID_SECURITY_PARAMETER_INDEX); } catch (SpiUnavailableException unlikely) { throw new ResourceUnavailableException("No SPIs available"); } } /** * Reserve the requested SPI for traffic bound to or from the specified destination address. * *
If successful, this SPI is guaranteed available until released by a call to {@link * SecurityParameterIndex#close()}. * * @param destinationAddress the destination address for traffic bearing the requested SPI. * For inbound traffic, the destination should be an address currently assigned on-device. * @param requestedSpi the requested SPI, or '0' to allocate a random SPI * @return the reserved SecurityParameterIndex * @throws {@link #ResourceUnavailableException} indicating that too many SPIs are * currently allocated for this user * @throws {@link #SpiUnavailableException} indicating that the requested SPI could not be * reserved */ public SecurityParameterIndex allocateSecurityParameterIndex( InetAddress destinationAddress, int requestedSpi) throws SpiUnavailableException, ResourceUnavailableException { if (requestedSpi == IpSecManager.INVALID_SECURITY_PARAMETER_INDEX) { throw new IllegalArgumentException("Requested SPI must be a valid (non-zero) SPI"); } return new SecurityParameterIndex(mService, destinationAddress, requestedSpi); } /** * Apply an IPsec transform to a stream socket. * *
This applies transport mode encapsulation to the given socket. Once applied, I/O on the * socket will be encapsulated according to the parameters of the {@code IpSecTransform}. When * the transform is removed from the socket by calling {@link #removeTransportModeTransforms}, * unprotected traffic can resume on that socket. * *
For security reasons, the destination address of any traffic on the socket must match the * remote {@code InetAddress} of the {@code IpSecTransform}. Attempts to send traffic to any * other IP address will result in an IOException. In addition, reads and writes on the socket * will throw IOException if the user deactivates the transform (by calling {@link * IpSecTransform#close()}) without calling {@link #removeTransportModeTransforms}. * *
When applying a new tranform to a socket, the previous transform will be removed. However, * inbound traffic on the old transform will continue to be decrypted until that transform is * deallocated by calling {@link IpSecTransform#close()}. This overlap allows rekey procedures * where both transforms are valid until both endpoints are using the new transform and all * in-flight packets have been received. * * @param socket a stream socket * @param direction the policy direction either {@link #DIRECTION_IN} or {@link #DIRECTION_OUT} * @param transform a transport mode {@code IpSecTransform} * @throws IOException indicating that the transform could not be applied */ public void applyTransportModeTransform( Socket socket, int direction, IpSecTransform transform) throws IOException { applyTransportModeTransform(socket.getFileDescriptor$(), direction, transform); } /** * Apply an IPsec transform to a datagram socket. * *
This applies transport mode encapsulation to the given socket. Once applied, I/O on the * socket will be encapsulated according to the parameters of the {@code IpSecTransform}. When * the transform is removed from the socket by calling {@link #removeTransportModeTransforms}, * unprotected traffic can resume on that socket. * *
For security reasons, the destination address of any traffic on the socket must match the * remote {@code InetAddress} of the {@code IpSecTransform}. Attempts to send traffic to any * other IP address will result in an IOException. In addition, reads and writes on the socket * will throw IOException if the user deactivates the transform (by calling {@link * IpSecTransform#close()}) without calling {@link #removeTransportModeTransforms}. * *
When applying a new tranform to a socket, the previous transform will be removed. However, * inbound traffic on the old transform will continue to be decrypted until that transform is * deallocated by calling {@link IpSecTransform#close()}. This overlap allows rekey procedures * where both transforms are valid until both endpoints are using the new transform and all * in-flight packets have been received. * * @param socket a datagram socket * @param direction the policy direction either DIRECTION_IN or DIRECTION_OUT * @param transform a transport mode {@code IpSecTransform} * @throws IOException indicating that the transform could not be applied */ public void applyTransportModeTransform( DatagramSocket socket, int direction, IpSecTransform transform) throws IOException { applyTransportModeTransform(socket.getFileDescriptor$(), direction, transform); } /** * Apply an IPsec transform to a socket. * *
This applies transport mode encapsulation to the given socket. Once applied, I/O on the * socket will be encapsulated according to the parameters of the {@code IpSecTransform}. When * the transform is removed from the socket by calling {@link #removeTransportModeTransforms}, * unprotected traffic can resume on that socket. * *
For security reasons, the destination address of any traffic on the socket must match the * remote {@code InetAddress} of the {@code IpSecTransform}. Attempts to send traffic to any * other IP address will result in an IOException. In addition, reads and writes on the socket * will throw IOException if the user deactivates the transform (by calling {@link * IpSecTransform#close()}) without calling {@link #removeTransportModeTransforms}. * *
When applying a new tranform to a socket, the previous transform will be removed. However, * inbound traffic on the old transform will continue to be decrypted until that transform is * deallocated by calling {@link IpSecTransform#close()}. This overlap allows rekey procedures * where both transforms are valid until both endpoints are using the new transform and all * in-flight packets have been received. * * @param socket a socket file descriptor * @param direction the policy direction either DIRECTION_IN or DIRECTION_OUT * @param transform a transport mode {@code IpSecTransform} * @throws IOException indicating that the transform could not be applied */ public void applyTransportModeTransform( FileDescriptor socket, int direction, IpSecTransform transform) throws IOException { // We dup() the FileDescriptor here because if we don't, then the ParcelFileDescriptor() // constructor takes control and closes the user's FD when we exit the method. try (ParcelFileDescriptor pfd = ParcelFileDescriptor.dup(socket)) { mService.applyTransportModeTransform(pfd, direction, transform.getResourceId()); } catch (RemoteException e) { throw e.rethrowFromSystemServer(); } } /** * Apply an active Tunnel Mode IPsec Transform to a network, which will tunnel all traffic to * and from that network's interface with IPsec (applies an outer IP header and IPsec Header to * all traffic, and expects an additional IP header and IPsec Header on all inbound traffic). * Applications should probably not use this API directly. Instead, they should use {@link * VpnService} to provide VPN capability in a more generic fashion. * *
TODO: Update javadoc for tunnel mode APIs at the same time the APIs are re-worked. * * @param net a {@link Network} that will be tunneled via IP Sec. * @param transform an {@link IpSecTransform}, which must be an active Tunnel Mode transform. * @hide */ public void applyTunnelModeTransform(Network net, IpSecTransform transform) {} /** * Remove an IPsec transform from a stream socket. * *
Once removed, traffic on the socket will not be encrypted. Removing transforms from a * socket allows the socket to be reused for communication in the clear. * *
If an {@code IpSecTransform} object applied to this socket was deallocated by calling * {@link IpSecTransform#close()}, then communication on the socket will fail until this method * is called. * * @param socket a socket that previously had a transform applied to it * @throws IOException indicating that the transform could not be removed from the socket */ public void removeTransportModeTransforms(Socket socket) throws IOException { removeTransportModeTransforms(socket.getFileDescriptor$()); } /** * Remove an IPsec transform from a datagram socket. * *
Once removed, traffic on the socket will not be encrypted. Removing transforms from a * socket allows the socket to be reused for communication in the clear. * *
If an {@code IpSecTransform} object applied to this socket was deallocated by calling * {@link IpSecTransform#close()}, then communication on the socket will fail until this method * is called. * * @param socket a socket that previously had a transform applied to it * @throws IOException indicating that the transform could not be removed from the socket */ public void removeTransportModeTransforms(DatagramSocket socket) throws IOException { removeTransportModeTransforms(socket.getFileDescriptor$()); } /** * Remove an IPsec transform from a socket. * *
Once removed, traffic on the socket will not be encrypted. Removing transforms from a * socket allows the socket to be reused for communication in the clear. * *
If an {@code IpSecTransform} object applied to this socket was deallocated by calling * {@link IpSecTransform#close()}, then communication on the socket will fail until this method * is called. * * @param socket a socket that previously had a transform applied to it * @throws IOException indicating that the transform could not be removed from the socket */ public void removeTransportModeTransforms(FileDescriptor socket) throws IOException { try (ParcelFileDescriptor pfd = ParcelFileDescriptor.dup(socket)) { mService.removeTransportModeTransforms(pfd); } catch (RemoteException e) { throw e.rethrowFromSystemServer(); } } /** * Remove a Tunnel Mode IPsec Transform from a {@link Network}. This must be used as part of * cleanup if a tunneled Network experiences a change in default route. The Network will drop * all traffic that cannot be routed to the Tunnel's outbound interface. If that interface is * lost, all traffic will drop. * *
TODO: Update javadoc for tunnel mode APIs at the same time the APIs are re-worked. * * @param net a network that currently has transform applied to it. * @param transform a Tunnel Mode IPsec Transform that has been previously applied to the given * network * @hide */ public void removeTunnelModeTransform(Network net, IpSecTransform transform) {} /** * This class provides access to a UDP encapsulation Socket. * *
{@code UdpEncapsulationSocket} wraps a system-provided datagram socket intended for IKEv2 * signalling and UDP encapsulated IPsec traffic. Instances can be obtained by calling {@link * IpSecManager#openUdpEncapsulationSocket}. The provided socket cannot be re-bound by the * caller. The caller should not close the {@code FileDescriptor} returned by {@link * #getSocket}, but should use {@link #close} instead. * *
Allowing the user to close or unbind a UDP encapsulation socket could impact the traffic * of the next user who binds to that port. To prevent this scenario, these sockets are held * open by the system so that they may only be closed by calling {@link #close} or when the user * process exits. */ public static final class UdpEncapsulationSocket implements AutoCloseable { private final ParcelFileDescriptor mPfd; private final IIpSecService mService; private int mResourceId = INVALID_RESOURCE_ID; private final int mPort; private final CloseGuard mCloseGuard = CloseGuard.get(); private UdpEncapsulationSocket(@NonNull IIpSecService service, int port) throws ResourceUnavailableException, IOException { mService = service; try { IpSecUdpEncapResponse result = mService.openUdpEncapsulationSocket(port, new Binder()); switch (result.status) { case Status.OK: break; case Status.RESOURCE_UNAVAILABLE: throw new ResourceUnavailableException( "No more Sockets may be allocated by this requester."); default: throw new RuntimeException( "Unknown status returned by IpSecService: " + result.status); } mResourceId = result.resourceId; mPort = result.port; mPfd = result.fileDescriptor; } catch (RemoteException e) { throw e.rethrowFromSystemServer(); } mCloseGuard.open("constructor"); } /** Get the wrapped socket. */ public FileDescriptor getSocket() { if (mPfd == null) { return null; } return mPfd.getFileDescriptor(); } /** Get the bound port of the wrapped socket. */ public int getPort() { return mPort; } /** * Close this socket. * *
This closes the wrapped socket. Open encapsulation sockets count against a user's * resource limits, and forgetting to close them eventually will result in {@link * ResourceUnavailableException} being thrown. */ @Override public void close() throws IOException { try { mService.closeUdpEncapsulationSocket(mResourceId); mResourceId = INVALID_RESOURCE_ID; } catch (RemoteException e) { throw e.rethrowFromSystemServer(); } try { mPfd.close(); } catch (IOException e) { Log.e(TAG, "Failed to close UDP Encapsulation Socket with Port= " + mPort); throw e; } mCloseGuard.close(); } /** Check that the socket was closed properly. */ @Override protected void finalize() throws Throwable { if (mCloseGuard != null) { mCloseGuard.warnIfOpen(); } close(); } /** @hide */ @VisibleForTesting public int getResourceId() { return mResourceId; } }; /** * Open a socket for UDP encapsulation and bind to the given port. * *
See {@link UdpEncapsulationSocket} for the proper way to close the returned socket. * * @param port a local UDP port * @return a socket that is bound to the given port * @throws IOException indicating that the socket could not be opened or bound * @throws ResourceUnavailableException indicating that too many encapsulation sockets are open */ // Returning a socket in this fashion that has been created and bound by the system // is the only safe way to ensure that a socket is both accessible to the user and // safely usable for Encapsulation without allowing a user to possibly unbind from/close // the port, which could potentially impact the traffic of the next user who binds to that // socket. public UdpEncapsulationSocket openUdpEncapsulationSocket(int port) throws IOException, ResourceUnavailableException { /* * Most range checking is done in the service, but this version of the constructor expects * a valid port number, and zero cannot be checked after being passed to the service. */ if (port == 0) { throw new IllegalArgumentException("Specified port must be a valid port number!"); } return new UdpEncapsulationSocket(mService, port); } /** * Open a socket for UDP encapsulation. * *
See {@link UdpEncapsulationSocket} for the proper way to close the returned socket. * *
The local port of the returned socket can be obtained by calling {@link * UdpEncapsulationSocket#getPort()}. * * @return a socket that is bound to a local port * @throws IOException indicating that the socket could not be opened or bound * @throws ResourceUnavailableException indicating that too many encapsulation sockets are open */ // Returning a socket in this fashion that has been created and bound by the system // is the only safe way to ensure that a socket is both accessible to the user and // safely usable for Encapsulation without allowing a user to possibly unbind from/close // the port, which could potentially impact the traffic of the next user who binds to that // socket. public UdpEncapsulationSocket openUdpEncapsulationSocket() throws IOException, ResourceUnavailableException { return new UdpEncapsulationSocket(mService, 0); } /** * This class represents an IpSecTunnelInterface * *
IpSecTunnelInterface objects track tunnel interfaces that serve as * local endpoints for IPsec tunnels. * *
Creating an IpSecTunnelInterface creates a device to which IpSecTransforms may be * applied to provide IPsec security to packets sent through the tunnel. While a tunnel * cannot be used in standalone mode within Android, the higher layers may use the tunnel * to create Network objects which are accessible to the Android system. * @hide */ @SystemApi public static final class IpSecTunnelInterface implements AutoCloseable { private final IIpSecService mService; private final InetAddress mRemoteAddress; private final InetAddress mLocalAddress; private final Network mUnderlyingNetwork; private final CloseGuard mCloseGuard = CloseGuard.get(); private String mInterfaceName; private int mResourceId = INVALID_RESOURCE_ID; /** Get the underlying SPI held by this object. */ public String getInterfaceName() { return mInterfaceName; } /** * Add an address to the IpSecTunnelInterface * *
Add an address which may be used as the local inner address for * tunneled traffic. * * @param address the local address for traffic inside the tunnel * @throws IOException if the address could not be added * @hide */ public void addAddress(LinkAddress address) throws IOException { } /** * Remove an address from the IpSecTunnelInterface * *
Remove an address which was previously added to the IpSecTunnelInterface * * @param address to be removed * @throws IOException if the address could not be removed * @hide */ public void removeAddress(LinkAddress address) throws IOException { } private IpSecTunnelInterface(@NonNull IIpSecService service, @NonNull InetAddress localAddress, @NonNull InetAddress remoteAddress, @NonNull Network underlyingNetwork) throws ResourceUnavailableException, IOException { mService = service; mLocalAddress = localAddress; mRemoteAddress = remoteAddress; mUnderlyingNetwork = underlyingNetwork; try { IpSecTunnelInterfaceResponse result = mService.createTunnelInterface( localAddress.getHostAddress(), remoteAddress.getHostAddress(), underlyingNetwork, new Binder()); switch (result.status) { case Status.OK: break; case Status.RESOURCE_UNAVAILABLE: throw new ResourceUnavailableException( "No more tunnel interfaces may be allocated by this requester."); default: throw new RuntimeException( "Unknown status returned by IpSecService: " + result.status); } mResourceId = result.resourceId; mInterfaceName = result.interfaceName; } catch (RemoteException e) { throw e.rethrowFromSystemServer(); } mCloseGuard.open("constructor"); } /** * Delete an IpSecTunnelInterface * *
Calling close will deallocate the IpSecTunnelInterface and all of its system * resources. Any packets bound for this interface either inbound or outbound will * all be lost. */ @Override public void close() { try { mService.deleteTunnelInterface(mResourceId); mResourceId = INVALID_RESOURCE_ID; } catch (RemoteException e) { throw e.rethrowFromSystemServer(); } mCloseGuard.close(); } /** Check that the Interface was closed properly. */ @Override protected void finalize() throws Throwable { if (mCloseGuard != null) { mCloseGuard.warnIfOpen(); } close(); } /** @hide */ @VisibleForTesting public int getResourceId() { return mResourceId; } } /** * Create a new IpSecTunnelInterface as a local endpoint for tunneled IPsec traffic. * *
An application that creates tunnels is responsible for cleaning up the tunnel when the * underlying network goes away, and the onLost() callback is received. * * @param localAddress The local addres of the tunnel * @param remoteAddress The local addres of the tunnel * @param underlyingNetwork the {@link Network} that will carry traffic for this tunnel. * This network should almost certainly be a network such as WiFi with an L2 address. * @return a new {@link IpSecManager#IpSecTunnelInterface} with the specified properties * @throws IOException indicating that the socket could not be opened or bound * @throws ResourceUnavailableException indicating that too many encapsulation sockets are open * @hide */ @SystemApi @RequiresPermission(android.Manifest.permission.NETWORK_STACK) public IpSecTunnelInterface createIpSecTunnelInterface(@NonNull InetAddress localAddress, @NonNull InetAddress remoteAddress, @NonNull Network underlyingNetwork) throws ResourceUnavailableException, IOException { return new IpSecTunnelInterface(mService, localAddress, remoteAddress, underlyingNetwork); } /** * Apply a transform to the IpSecTunnelInterface * * @param tunnel The {@link IpSecManager#IpSecTunnelInterface} that will use the supplied * transform. * @param direction the direction, {@link DIRECTION_OUT} or {@link #DIRECTION_IN} in which * the transform will be used. * @param transform an {@link IpSecTransform} created in tunnel mode * @throws IOException indicating that the transform could not be applied due to a lower * layer failure. * @hide */ @SystemApi @RequiresPermission(android.Manifest.permission.NETWORK_STACK) public void applyTunnelModeTransform(IpSecTunnelInterface tunnel, int direction, IpSecTransform transform) throws IOException { try { mService.applyTunnelModeTransform( tunnel.getResourceId(), direction, transform.getResourceId()); } catch (RemoteException e) { throw e.rethrowFromSystemServer(); } } /** * Construct an instance of IpSecManager within an application context. * * @param context the application context for this manager * @hide */ public IpSecManager(IIpSecService service) { mService = checkNotNull(service, "missing service"); } }