Age | Commit message (Collapse) | Author |
|
This commit
- Moves API and implementation to separate packages so that later
we can expose the API package only.
- Also moves tests accordingly
Bug: 143983419
Test: atest FrameworksIkeTests(all tests passed)
Change-Id: I53cf15caefb09aabaeefd0167d8daeb23e5e571f
|
|
This commit makes several methods from package private to public
so that later we can separate API and Impl to different packages
Bug: 143983419
Test: atest FrameworksIkeTests(all tests passed)
Change-Id: Ie08b5ab6bdf8b27a523a4b6f28a83bbf2b02bbe0
|
|
|
|
|
|
This commit adds interface to configure AUTH method to digital
signature.
Bug: 142139930
Test: atest FrameworksIkeTests(new tests added)
Change-Id: I6d499ac6c1cdf01c64891d855405b29518ea86d0
|
|
|
|
|
|
Bug: 142667016
Test: added EapAkaPrimeTest.
Test: atest FrameworksIkeTests
Change-Id: I068f091497de88b031c541b3fb677b997451a111
|
|
|
|
EAP-AKA' specifies the use of AT_BIDDING in EAP-AKA as a means to
prevent bidding down attacks from EAP-AKA' to EAP-AKA (RFC 5448#4). To
do so, the EapAkaMethodStateMachine must check for this attribute and
whether EAP-AKA' is supported after successfully authenticating the
server. If the server specifies that EAP-AKA' is supported, an
Authentication-Reject response is sent to the server.
Bug: 142742437
Test: added test case to EapAkaChallengeStateTest.
Test: atest FrameworksIkeTests
Change-Id: I859449c7f537ffe81d7d30c181008430abadbc96
|
|
EAP-AKA' specifies the use of the AT_BIDDING attribute to prevent
EAP-AKA' sessions from being downgraded to use EAP-AKA by a
man-in-the-middle attack. Supporting this feature in the EAP-AKA state
machine requires the state machine to know whether EAP-AKA' is supported
by the peer. An additional constructor is added to
EapAkaMethodStateMachine and used by the EapStateMachine so that EAP-AKA
can check for bidding down attacks.
Bug: 142742437
Test: atest FrameworksIkeTests
Change-Id: Ife3ec6024644521f8de80bd095db884548ffe22d
|
|
EAP-AKA' requires the use of HMAC-SHA-256 for computing MACs on
messages. To achieve this, the default behavior for EAP-SIM/AKA needs to
be overwritten so that the correct MAC algorithm is used.
Bug: 142668075
Test: added test case to EapAkaPrimeMethodStateMachineTest.
Test: atest FrameworksIkeTests
Change-Id: I33e91c4f0ae9fcd6db22e6055d42d5dab53c8297
|
|
EAP-AKA's ChallengeState defines generateAndPersistEapAkaKeys() for
generating and persisting keys as defined by EAP-AKA. EAP-AKA' needs to
override this behavior to derive keys as required by the EAP-AKA'
standard. This requires the use of HMAC-SHA-256 and the IKEv2 prf+
function.
Bug: 142668075
Test: added test to EApAkaPrimeChallegeStateTest.
Test: atest FrameworksIkeTests
Change-Id: I5213a133e3429eb83199db7a9d8c70de36710b06
|
|
Both EAP-SIM and EAP-AKA have the same key lengths: K_encr and K_aut are
both 16B, and MSK and EMSK are both 64B. However, EAP-AKA' uses K_aut
keys with a length of 32B.
Bug: 142968025
Bug: 142668075
Test: added test to EapSimAkaMethodStateMachineTest.
Test: atest FrameworksIkeTests
Change-Id: I1570f7823a42bce78da3aa9e4d10e3ba0a0eeddd
|
|
In order to generate the MK for an EAP-AKA' session, EAP-AKA' requires
the use of an HMAC-SHA-256 algorithm to sign data as part of the
IkeMacPrf function. This implements a thin wrapper around the
javax.crypto.Mac implementation of the HMAC-SHA-256 algorithm.
Bug: 142668075
Test: added HmacSha256ByteSignerTest.
Test: atest FrameworksIkeTests
Change-Id: I352b8f1317e46b1fbfb2bdb56e254ac9a340a063
|
|
EAP-AKA' requires the use of CK' and IK' instead of using CK and IK
directly as done in EAP-AKA. To convert them, the data is formatted as
defined in TS 133 402 Annex A.2 and fed into the key derivation function
KDF as defined in TS 133 220 Annex B.2.
Bug: 142668075
Test: added test case to EapAkaPrimeChallengeStateTest.
Test: atest FrameworksIkeTests
Change-Id: I80b384aa3baf4a09db4bc37aebb5c9e4de3d8b90
|
|
EAP-AKA' requires additional attribute checking on top of that done by
EAP-AKA. EAP-AKA' also requires AT_KDF and AT_KDF_INPUT attributes. The
AT_KDF_INPUT attribute must contain a network name that matches the
peer's known network name. The KDF specified by the server must be
supported by the peer.
Bug: 142668075
Test: added test cases to EapAkaPrimeChallengeStateTest.
Test: atest FrameworksIkeTests
Change-Id: I4ca1a803cae81dd821ef259dbebedc9f4b5b363e
|
|
Bug: 140644654
Test: atest FrameworksIkeTests(all tests passed)
Change-Id: Ib62e7060f3a113d7e39b0599e9720b4e88d78f28
|
|
|
|
|
|
This commit passes server address and UDP encap socket to
IkeSessionOptions.Builder via setters instead of constructor
Bug: 142139930
Test: atest FrameworksIkeTests(all tests passed)
Change-Id: I60b30eef022e01ae010eb2f9cfe67e09aa01ac04
|
|
This commit:
- Renames IChildSessionCallback and IIkeSessionCallback
- Renames #onError and #onInfo
Bug: 142139930
Test: atest FrameworksIkeTests(all tests passed)
Change-Id: If6e5dbe2273820e73ddcf73331341359d1f5b41c
|
|
EAP-AKA' requires checking network names as part of using KDF 1.
However, it recommends allowing for a user policy to ignore mismatched
network names (RFC 5448#3.1).
Bug: 142805103
Test: added test case to EapSessionConfigTest.
Test: atest FrameworksIkeTests
Change-Id: I0c7b2dd01f68360a9e2fc8ef63b9b530036ada64
|
|
Bug: 142668075
Test: updated EapAkaPrimeCreatedStateTest.
Test: updated EapAkaPrimeIdentityStateTest.
Test: added EapAkaPrimeChallengeStateTest.
Test: atest FrameworksIkeTests
Change-Id: I7b36c48859ca0c665736f8c7ece6eff25dc1a888
|
|
EAP-AKA' utilizes the IdentityState from EAP-AKA. Tests need to be added
to ensure that functionality for the IdentityState and its transitions to
the ChallengeState are preserved.
Bug: 142668075
Test: added EapAkaPrimeIdentityStateTest.
Test: atest FrameworksIkeTests
Change-Id: I96c08a44e3bed76c85196af7796757d67ae8d09b
|
|
EAP-AKA' utilizes the CreatedState from EAP-AKA. Tests need to be added
to ensure that functionality for the CreatedState and its transitions to
the IdentityState and ChallengeState are preserved.
Bug: 142668075
Test: added EapAkaPrimteStateTest and EapAkaPrimeCreatedStateTest.
Test: atest FrameworksIkeTests
Change-Id: I5331ecff8dc29ebcbcc9b88e328cde4847aa416f
|
|
Create skeleton method state machine for EAP-AKA'. Because much of the
behavior will depend on the EAP-AKA method state machine,
EapAkaPrimeMethodStateMachine extends the EapAkaMethodStateMachine.
Bug: 142665199
Test: added test case to MethodStateTest.
Test: added EapAkaPrimeMethodStateMachineTest.
Test: atest FrameworksIkeTests
Change-Id: I0a721e22ee5761f2b35dc4de240f6cc431b2c5bc
|
|
Bug: 142805103
Test: added EapSessionConfigTest.
Test: atest FrameworksIkeTests
Change-Id: I8f1c08df9feb4d4ac9c26494430e4315c543961a
|
|
EAP-AKA' requires a separate AttributeFactory from EAP-AKA, so a
separate Type Data is defined. EapAkaPrimeTypeData requires TypeData
decoding for AT_KDF_INPUT, AT_KDF, and AT_BIDDING attributes.
Note that the EAP-AKA' specifies that multiple AT_KDF attributes can be
sent to the peer from the server. However, only 1 KDF (using CK' and
IK') is specified at this time. Because of this, we return an
AtClientError attribute if multiple KDF values are sent in the
EAP-Request/AKA'/Challenge message.
Bug: 142666520
Test: added test EapAkaPrimeTypeDataTest.
Test: atest FrameworksIkeTests
Change-Id: I82b7c7ee2aec307f74dc50da7b34ae8f12d20c8c
|
|
EAP-AKA' defines AT_BIDDING in RFC 5448#4 for use by EAP-AKA to prevent
bidding down attacks. This attribute is defined in
EapAkaAttributeFactory as it will be received in the EAP-AKA protocol
(not during EAP-AKA').
Bug: 142663198
Test: added AtBiddingTest.
Test: atest FrameworksIkeTests
Change-Id: Ib9f2befab1c4338f30b0dfa28905be32a703084e
|
|
|
|
|
|
|
|
* changes:
Implement KEY ID type of IKE Identification
Implement RFC 822 Address Identification
Refactor IkeIdentification
|
|
|
|
* changes:
Implement Config Attribute for DHCPv4 server
Add interfaces for requesting DNS server and subnet
Refactor IkeConfigPayload
|
|
This commit:
- Creates a new class that represents KEY ID
- Supports decoding ID payload using KEY ID
- Adds tests to verify decoding and encoding
Bug: 142139930
Test: atest FrameworksIkeTests(all tests passed)
Change-Id: I35c9c6509fd82df75ced7f5382d0a7ff6a90266a
|
|
Bug: 142663198
Test: added AtKdfTest.
Test: atest FrameworksIkeTests
Change-Id: I6b9f6e1fe98c10f4a20f1525409a8340ccfaebdf
|
|
EAP-AKA' needs an attribute factory to be used for decoding EAP-AKA'
specific attributes. The AT_KDF_INPUT attribute is also defined per RFC
5448#3.1.
Bug: 142663198
Test: added AtKdfInputTest.
Test: atest FrameworksIkeTests
Change-Id: I285d4151cd8b1dc3ec592b2ff14e1b0d549af8e5
|
|
|
|
This commit:
- Creates IkeSessionConfiguration interface
- Passes IkeSessionConfiguration to IkeSessionCallback
Bug: 140644755
Test: atest FramworksIkeTests(all passed)
Change-Id: Id31a9e01f608c1408bb9cae2c1b0b5bae4e42dc5
|
|
This class:
- Creates a new class that represents RFC822 address IKE
Identification
- Supports decoding ID payload with this ID type
- Adds tests for decoding and encoding
Bug: 142139930
Test: atest FrameworksIkeTests(all tests passed)
Change-Id: Ied38696ae658a998383f8321e1fba22ecadf3a4c
|
|
This commit moves all subclasses of IkeIdentification to separate
files.
Bug: 142139930
Test: atest FrameworksIkeTests(all tests passed)
Change-Id: Ic89a432df601f851345371c8dda4df6ebd24addf
|
|
* changes:
Fix bug in IKE fragment authentication
Decrypt IKE message with AEAD
Support AEAD decryption and encryption
|
|
|
|
Bug: 140644912
Test: atest FrameworksIkeTests(new tests added)
Change-Id: I63d76d2863382d3b992092cb7cae90fab8066f2e
|
|
This commit allows users to add requests for DNS server
and internal subnet when negotiating tunnel mode Child Session.
Bug: 140644654
Test: atest FrameworksIkeTests(all tests passed)
Change-Id: I02ac09c7958c90d1f0c9d6d4c6a692aa5bb9c3c1
|
|
This commit:
- Adds support for constructing an DNS attribute with specific
DNS server address
- Removes constructors that construct IPv4 and IPv6 subnet
attribute with specific address and related tests
- Makes construtors for inbound config attributes package private
Bug: 140644912
Test: atest FrameworksIkeTests(new tests added)
Change-Id: I7da5e6c5747b3da32eeda51e00f3010931c044f6
|
|
Bug: 122676270
Test: atest FrameworksIkeTests(new tests added)
Change-Id: Ic2d97c36bf261d5dd7eff3e2088d027649ea38c3
|
|
This commit fixes the bug in generating checksum of an outbound
IKE fragment, which is caused by omitting the fragment header.
Bug: 142504816
Test: atest FrameworksIkeTests(new tests added)
Change-Id: I285f1590bdb5ea371f382ce2a310c426c8c6aadc
|