26 #include "ipsecpol.h" |
26 #include "ipsecpol.h" |
27 #include "log_ipsecpol.H" |
27 #include "log_ipsecpol.H" |
28 #include "ipsecpolparser.h" |
28 #include "ipsecpolparser.h" |
29 #include "secpolreader.h" |
29 #include "secpolreader.h" |
30 |
30 |
|
31 #include <comms-infras/dbaccess.h> |
|
32 #include <commdbconnpref.h> |
|
33 #include <featureuids.h> |
|
34 #include <e32debug.h> |
|
35 |
31 #define FIRST_ARGUMENT 0 |
36 #define FIRST_ARGUMENT 0 |
32 #define SECOND_ARGUMENT 1 |
37 #define SECOND_ARGUMENT 1 |
33 #define THIRD_ARGUMENT 2 |
38 #define THIRD_ARGUMENT 2 |
34 #define FOURTH_ARGUMENT 3 |
39 #define FOURTH_ARGUMENT 3 |
|
40 |
|
41 const TUint KAppSidDefault = 0xFFFFFFFF; |
|
42 const TUint32 KGANAppSid = 0x2002E241; |
35 |
43 |
36 // |
44 // |
37 // Create IPSecPolicyManagerHandler object |
45 // Create IPSecPolicyManagerHandler object |
38 // |
46 // |
39 CIPSecPolicyManagerHandler* |
47 CIPSecPolicyManagerHandler* |
270 { |
298 { |
271 iFunction = aMsg.Int3(); |
299 iFunction = aMsg.Int3(); |
272 TPckg<TZoneInfoSet>pckgZoneInfoSet(zoneInfoSet); |
300 TPckg<TZoneInfoSet>pckgZoneInfoSet(zoneInfoSet); |
273 aMsg.ReadL(THIRD_ARGUMENT, pckgZoneInfoSet); |
301 aMsg.ReadL(THIRD_ARGUMENT, pckgZoneInfoSet); |
274 } |
302 } |
275 iVPNNetId = 0; |
303 iVPNNetId = 0; |
276 if (zoneInfoSet.iSelectorZone.iScope != KScopeNone) |
304 if (zoneInfoSet.iSelectorZone.iScope != KScopeNone) |
277 { |
305 { |
278 iVPNNetId = zoneInfoSet.iSelectorZone.iId; |
306 iVPNNetId = zoneInfoSet.iSelectorZone.iId; |
279 } |
307 } |
280 iGwNetId = 0; |
308 iGwNetId = 0; |
281 if (zoneInfoSet.iEndPointZone.iScope != KScopeNone) |
309 if (zoneInfoSet.iEndPointZone.iScope != KScopeNone) |
282 { |
310 { |
283 iGwNetId = zoneInfoSet.iEndPointZone.iId; |
311 iGwNetId = zoneInfoSet.iEndPointZone.iId; |
284 } |
312 } |
|
313 |
285 LOG(Log::Printf(_L("LoadPolicy request VPN NetId: %d GW NetId: %d\n"), |
314 LOG(Log::Printf(_L("LoadPolicy request VPN NetId: %d GW NetId: %d\n"), |
286 iVPNNetId, iGwNetId)); |
315 iVPNNetId, iGwNetId)); |
287 |
316 if(iIPSecGANSupported) |
288 |
317 { |
|
318 LOG(Log::Printf(_L(" iIPSecGANSupported is true \n"))); |
|
319 |
|
320 TRAPD( err, CheckUMAEXception((TUint32)iVPNNetId)) |
|
321 if( err != KErrNone) |
|
322 { |
|
323 LOG(Log::Printf(_L("NO UMA Exception \n"))); |
|
324 } |
|
325 else |
|
326 { |
|
327 LOG(Log::Printf(_L("UMA Exception is added \n"))); |
|
328 } |
|
329 } |
|
330 |
289 // Parse the policy file from string format to the ipsecpolparser |
331 // Parse the policy file from string format to the ipsecpolparser |
290 // class object format |
332 // class object format |
291 ParseCurrentPolicyL(); |
333 ParseCurrentPolicyL(); |
292 |
334 |
293 // Calculate the Bypass/Drop mode of parsed policy |
335 // Calculate the Bypass/Drop mode of parsed policy |
297 |
339 |
298 // Check if we have a direct Bypass-everything-else Vs Drop-everything-else conflict between the active policy and |
340 // Check if we have a direct Bypass-everything-else Vs Drop-everything-else conflict between the active policy and |
299 // the one that is attempted to be loaded. If so, return with error |
341 // the one that is attempted to be loaded. If so, return with error |
300 |
342 |
301 TInt activepolicyBypassDropMode; |
343 TInt activepolicyBypassDropMode; |
|
344 //UMA support REQ 417-40027 |
|
345 TBool flag_exception =EFalse; |
|
346 // It is ok to compare with the first active policy. Every subsequent policy would have been compared against the first one |
|
347 |
|
348 /* FORMAT OF UMA POLICY |
|
349 * remote 0.0.0.0 0.0.0.0 = { UMA_VPN_POLICY($SGW_IP_ADDRESS) } |
|
350 * inbound = { } |
|
351 * outbound = { } |
|
352 */ |
|
353 //Checking for exception loading. Exceptions are policies for USE CASES having conflict for loading of bypass |
|
354 //and drop policy. UMA being an excetion should be allowed to load policy. It doesnt make sense not to start UMA. |
|
355 if(iIPSecGANSupported) |
|
356 { |
|
357 flag_exception = CheckException(); |
|
358 LOG(Log::Printf(_L("Is exception policy already activated= %d\n"), flag_exception)); |
|
359 } |
|
360 else |
|
361 { |
|
362 LOG(Log::Printf(_L("UMA/GAN not supported and exception policy activated status = %d\n"), flag_exception)); |
|
363 } |
|
364 |
302 //coverity[var_compare_op] |
365 //coverity[var_compare_op] |
303 //intentional null comparision if there is no policylist do nothing. |
366 //intentional null comparision if there is no policylist do nothing. |
304 if (iActivePolicyList && iActivePolicyList->Count()) |
367 if (iActivePolicyList && iActivePolicyList->Count()) |
305 { |
368 { |
306 //coverity[var_compare_op] |
369 //UMA support REq417-40027 |
307 // It is ok to compare with the first active policy. Every subsequent policy would have been compared against the first one |
370 if(iIPSecGANSupported) |
308 activepolicyBypassDropMode = iActivePolicyList->At(0)->iBypassOrDropMode; |
371 { |
|
372 if(flag_exception) |
|
373 { |
|
374 activepolicyBypassDropMode = iBypassOrDropMode; |
|
375 } |
|
376 else |
|
377 { |
|
378 activepolicyBypassDropMode = iActivePolicyList->At(0)->iBypassOrDropMode; |
|
379 } |
|
380 } |
|
381 else |
|
382 { |
|
383 // It is ok to compare with the first active policy. Every subsequent policy would have been compared against the first one |
|
384 //coverity[var_compare_op] |
|
385 // It is ok to compare with the first active policy. Every subsequent policy would have been compared against the first one |
|
386 activepolicyBypassDropMode = iActivePolicyList->At(0)->iBypassOrDropMode; |
|
387 } |
|
388 |
309 if((policyBypassDropMode == KDropMode && (( activepolicyBypassDropMode & KInboundBypass) || (activepolicyBypassDropMode & KOutboundBypass))) || |
389 if((policyBypassDropMode == KDropMode && (( activepolicyBypassDropMode & KInboundBypass) || (activepolicyBypassDropMode & KOutboundBypass))) || |
310 (((policyBypassDropMode & KInboundBypass) || (policyBypassDropMode & KOutboundBypass)) && activepolicyBypassDropMode == KDropMode )) |
390 (((policyBypassDropMode & KInboundBypass) || (policyBypassDropMode & KOutboundBypass)) && activepolicyBypassDropMode == KDropMode )) |
311 { |
391 { |
312 ErrorHandlingL (ESelectorConflict,0); |
392 if(iIPSecGANSupported) |
313 } |
393 { |
314 } |
394 //should not Allow loading drop mode policy all the time |
|
395 //condition for allowing drop mode policy loading are |
|
396 //1) There should not be any other bypass policy loaded before. |
|
397 //2) or loaded bypass policy is UMA bypass policy |
|
398 |
|
399 TBool allowDropLoad = ETrue; |
|
400 for(int count = 0; count < iActivePolicyList->Count(); count++ ) |
|
401 { |
|
402 if((iActivePolicyList->At(count)->iBypassOrDropMode & KSymmetricBypass) &&(!(iActivePolicyList->At(count)->iException))) |
|
403 { |
|
404 //ipsec bypass policy is already loaded. |
|
405 LOG(Log::Printf(_L("\n should not allow loading of drop policy \n"))); |
|
406 allowDropLoad = EFalse; |
|
407 break; |
|
408 }//else do nothing |
|
409 } |
|
410 |
|
411 if(allowDropLoad && (policyBypassDropMode == KDropMode)) |
|
412 { |
|
413 LOG(Log::Printf(_L("Allowing loading drop mode policy, with activated exception bypass\n"))); |
|
414 } |
|
415 else if((((policyBypassDropMode & KInboundBypass) || (policyBypassDropMode & KOutboundBypass)) && iCurrentException) && activepolicyBypassDropMode == KDropMode ) |
|
416 { |
|
417 LOG(Log::Printf(_L("Allowing loading exception bypass mode policy, with activated drop mode\n"))); |
|
418 } |
|
419 else |
|
420 { |
|
421 ErrorHandlingL (ESelectorConflict,0); |
|
422 } |
|
423 } |
|
424 else |
|
425 { |
|
426 ErrorHandlingL (ESelectorConflict,0); |
|
427 } |
|
428 } |
|
429 } |
315 |
430 |
316 // Add VPNNetId to CPolicySelector and GwNetId to CSecpolBundleItem objects |
431 // Add VPNNetId to CPolicySelector and GwNetId to CSecpolBundleItem objects |
317 UpdateSelectorsAndTunnels(); |
432 UpdateSelectorsAndTunnels(); |
318 |
433 |
319 // Check if the IP addresses in the selectors of current policy |
434 // Check if the IP addresses in the selectors of current policy |
525 TInt ret = SearchPolicyFromListAndActivate(); |
640 TInt ret = SearchPolicyFromListAndActivate(); |
526 if (ret != KErrNone) |
641 if (ret != KErrNone) |
527 { |
642 { |
528 ErrorHandlingL(ret, 0 ); |
643 ErrorHandlingL(ret, 0 ); |
529 } |
644 } |
530 |
645 LOG(Log::Printf(_L("::ActivatePolicy, request to parse all policies\n"))); |
531 // Parse all active policy files from string format |
646 // Parse all active policy files from string format |
532 // to IPSecPolParser class object formats |
647 // to IPSecPolParser class object formats |
533 ParseAllPolicyFilesL(); |
648 ParseAllPolicyFilesL(); |
534 |
649 |
|
650 LOG(Log::Printf(_L("::ActivatePolicy request to calculate combined\n"))); |
535 // Calculate the combined policy Bypass/Drop mode |
651 // Calculate the combined policy Bypass/Drop mode |
536 CalculateCombinedPolicyBypassDropMode(); |
652 CalculateCombinedPolicyBypassDropMode(); |
537 |
653 |
538 // Delete all pure Inbound/Ooutbound selectors |
654 // Delete all pure Inbound/Ooutbound selectors |
539 DeleteExtraInboundOutboundSelectors(); |
655 DeleteExtraInboundOutboundSelectors(); |
552 if (err != KErrNone) |
668 if (err != KErrNone) |
553 { |
669 { |
554 ErrorHandlingL(ENoMemory, err); |
670 ErrorHandlingL(ENoMemory, err); |
555 } |
671 } |
556 |
672 |
|
673 //UMA support REQ417-40027 |
|
674 TBool flag_exception = EFalse; |
|
675 if(iIPSecGANSupported) |
|
676 { |
|
677 flag_exception = CheckException(); |
|
678 if(flag_exception || iCurrentException) |
|
679 { |
|
680 if(iBypassOrDropMode != KSymmetricBypass) |
|
681 { |
|
682 err = AddExceptionSelectors(); |
|
683 if (err != KErrNone) |
|
684 { |
|
685 ErrorHandlingL(ENoMemory, err); |
|
686 } |
|
687 }//if symmetry |
|
688 }//flag_exception |
|
689 } |
|
690 |
557 // Send the algorithms table and the string format policy file to |
691 // Send the algorithms table and the string format policy file to |
558 // IPSec protocol component using Secpol socket |
692 // IPSec protocol component using Secpol socket |
559 SendAlgorithmsAndPolicyToIPSecL(_L("secpol6")); |
693 SendAlgorithmsAndPolicyToIPSecL(_L("secpol6")); |
560 |
694 |
561 LOG(Log::Printf(_L("ActivatePolicy request completed OK, handle: %d\n"), |
695 LOG(Log::Printf(_L("ActivatePolicy request completed OK, handle: %d\n"), |
732 ErrorHandlingL(ENoMemory, err); |
880 ErrorHandlingL(ENoMemory, err); |
733 } |
881 } |
734 |
882 |
735 // Check if given policy contains 'drop_everything_else' rule |
883 // Check if given policy contains 'drop_everything_else' rule |
736 // and add IKE, DHCP and MIPv4 bypass selectors if necessary |
884 // and add IKE, DHCP and MIPv4 bypass selectors if necessary |
737 if (aBypassDropMode == KDropMode) |
885 //UMA support REQ417-40027 |
|
886 //DHCP selectors & IKE selectors should be added even when UMA is UP |
|
887 if (aBypassDropMode == KDropMode ||(iIPSecGANSupported && iCurrentException)) |
738 { |
888 { |
739 // Allow plain IKE negotiation packets. Write the bypass |
889 // Allow plain IKE negotiation packets. Write the bypass |
740 // selectors to the end of selector list, but they will |
890 // selectors to the end of selector list, but they will |
741 // later be sorted to the beginning of selectors. |
891 // later be sorted to the beginning of selectors. |
742 if (aFunction & KAddIkeBypassSelectors) |
892 if (aFunction & KAddIkeBypassSelectors) |
816 entry->iActiveState = EFalse; |
967 entry->iActiveState = EFalse; |
817 entry->iBypassOrDropMode = aBypassOrDropMode; |
968 entry->iBypassOrDropMode = aBypassOrDropMode; |
818 entry->iPolicyHandle.iHandle = iCurrentPolicyHandle.iHandle; |
969 entry->iPolicyHandle.iHandle = iCurrentPolicyHandle.iHandle; |
819 entry->iPolicyBuf = iPolBfr; |
970 entry->iPolicyBuf = iPolBfr; |
820 entry->iPolicyType = aPolType; |
971 entry->iPolicyType = aPolType; |
|
972 if(iIPSecGANSupported) |
|
973 { |
|
974 entry->iException = iCurrentException ; |
|
975 } |
|
976 |
821 iPolBfr = NULL; |
977 iPolBfr = NULL; |
822 CleanupStack::PushL(entry->iPolicyBuf); |
978 CleanupStack::PushL(entry->iPolicyBuf); |
823 |
979 |
824 // Store a new entry to active policy list |
980 // Store a new entry to active policy list |
825 iActivePolicyList->AppendL(entry); |
981 iActivePolicyList->AppendL(entry); |
2161 LOG(Log::Printf(_L("EnumerateSelectors request completed OK\n"))); |
2317 LOG(Log::Printf(_L("EnumerateSelectors request completed OK\n"))); |
2162 ApiCallCompleted(); |
2318 ApiCallCompleted(); |
2163 return KErrNone; |
2319 return KErrNone; |
2164 } |
2320 } |
2165 |
2321 |
|
2322 |
|
2323 //Checking excetion flags |
|
2324 TBool CIPSecPolicyManagerHandler::CheckException() |
|
2325 { |
|
2326 int count_=0; |
|
2327 TBool flag_exception = EFalse; |
|
2328 while(count_ < iActivePolicyList->Count()) |
|
2329 { |
|
2330 if(iActivePolicyList->At(count_)->iException) |
|
2331 { |
|
2332 LOG(Log::Printf(_L("::CheckException, Exception policy Activated"))); |
|
2333 flag_exception = ETrue; |
|
2334 break; |
|
2335 } |
|
2336 else |
|
2337 { |
|
2338 LOG(Log::Printf(_L(" Exception is not presnt iActivePolicyList->At(%d)"), count_)); |
|
2339 } |
|
2340 count_ ++; |
|
2341 } |
|
2342 return flag_exception; |
|
2343 |
|
2344 } |
|
2345 |
|
2346 |
|
2347 /** |
|
2348 *This method to find out the iapid from network id |
|
2349 *@param aNetId : network id |
|
2350 *@param aIapId : iapid |
|
2351 *@return void |
|
2352 */ |
|
2353 |
|
2354 void CIPSecPolicyManagerHandler::SearchIAPIdL( const TUint32& aNetId, |
|
2355 TUint32& aIapId ) |
|
2356 { |
|
2357 LOG(Log::Printf(_L("CIPSecPolicyManagerHandler::SearchIAPIdL Entry\n"))); |
|
2358 |
|
2359 CCommsDatabase* commsDatabase = CCommsDatabase::NewL(); |
|
2360 CleanupStack::PushL(commsDatabase); |
|
2361 |
|
2362 // Make hidden records visible |
|
2363 commsDatabase->ShowHiddenRecords(); |
|
2364 |
|
2365 // Open IAP table view by matching IAP_NETWORK Id |
|
2366 CCommsDbTableView* commsDbTableView = |
|
2367 commsDatabase->OpenViewMatchingUintLC( TPtrC( IAP ), |
|
2368 TPtrC( IAP_NETWORK ), |
|
2369 aNetId ); |
|
2370 |
|
2371 User::LeaveIfError( commsDbTableView->GotoFirstRecord() ); |
|
2372 |
|
2373 commsDbTableView->ReadUintL(TPtrC( COMMDB_ID ), aIapId ); |
|
2374 |
|
2375 LOG(Log::Printf(_L("CMPMCommsDatAccess::SearchIAPIdL - Found IAP IdId: = %d\n"),aIapId)); |
|
2376 |
|
2377 CleanupStack::PopAndDestroy(commsDbTableView); |
|
2378 CleanupStack::PopAndDestroy(commsDatabase); |
|
2379 |
|
2380 LOG(Log::Printf(_L("CIPSecPolicyManagerHandler::SearchIAPIdL Exit \n"))); |
|
2381 } |
|
2382 |
|
2383 /** |
|
2384 *This API call is to pass the sid or any other relevent information |
|
2385 *from other components to IPSec module. |
|
2386 * |
|
2387 *@param |
|
2388 *@param |
|
2389 *@return |
|
2390 */ |
|
2391 void CIPSecPolicyManagerHandler::SetOptL(const RMessage2& aMsg) |
|
2392 { |
|
2393 LOG(Log::Printf(_L("CIPSecPolicyManagerHandler::SetOptL\n"))); |
|
2394 //Read the option name from the RMessage |
|
2395 TUint optionName; |
|
2396 TPckg<TUint> optionNamePkg(optionName) ; |
|
2397 aMsg.ReadL(FIRST_ARGUMENT, optionNamePkg); |
|
2398 //Read the option level from the RMessage |
|
2399 TUint optionLevel; |
|
2400 TPckg<TUint> optionLevelPkg(optionLevel) ; |
|
2401 aMsg.ReadL(SECOND_ARGUMENT, optionLevelPkg); |
|
2402 LOG(Log::Printf(_L("option name = %d and option level is = %d \n"), iAppSid, optionLevel)); |
|
2403 //Read option value |
|
2404 HBufC8* optionValue; |
|
2405 TInt dataLen = aMsg.GetDesLength(THIRD_ARGUMENT); |
|
2406 optionValue = HBufC8::NewL(dataLen); |
|
2407 CleanupStack::PushL(optionValue); |
|
2408 TPtr8 optionValuePtr(optionValue->Des()); |
|
2409 aMsg.ReadL(THIRD_ARGUMENT, optionValuePtr); |
|
2410 |
|
2411 if(optionLevel == KOptionLevelDefault) |
|
2412 { |
|
2413 if(optionName == KOptionNameSid) |
|
2414 { |
|
2415 TLex8 lex(*optionValue); |
|
2416 TUint dataValue; |
|
2417 lex.Val(dataValue); |
|
2418 iAppSid = dataValue;//store the appsid value. |
|
2419 LOG(Log::Printf(_L("Application sid value is %d \n"), iAppSid)); |
|
2420 }//else donothing as of now |
|
2421 else |
|
2422 { |
|
2423 User::Leave(KErrArgument); |
|
2424 LOG(Log::Printf(_L(" \nwrong Name\n"))); |
|
2425 } |
|
2426 } |
|
2427 else |
|
2428 { |
|
2429 User::Leave(KErrArgument); |
|
2430 LOG(Log::Printf(_L(" Wrong option KOptionLevelDefault\n"))); |
|
2431 } |
|
2432 CleanupStack::PopAndDestroy(); |
|
2433 LOG(Log::Printf(_L("CIPSecPolicyManagerHandler::SetOptL\n"))); |
|
2434 } |
|
2435 |
|
2436 /** |
|
2437 *This method to check the exception. |
|
2438 **/ |
|
2439 TBool CIPSecPolicyManagerHandler::CheckUMAL(TUint32 aIapId) |
|
2440 { |
|
2441 CMDBSession* cmdbSession; |
|
2442 CCDIAPRecord* ptrIapRecord1; |
|
2443 ptrIapRecord1 = static_cast<CCDIAPRecord*>(CCDRecordBase::RecordFactoryL(KCDTIdIAPRecord)); |
|
2444 CleanupStack::PushL(ptrIapRecord1); |
|
2445 cmdbSession = CMDBSession::NewL(CMDBSession::LatestVersion()); |
|
2446 CleanupStack::PushL(cmdbSession); |
|
2447 cmdbSession->SetAttributeMask( ECDHidden | ECDPrivate ); |
|
2448 ptrIapRecord1->SetRecordId(aIapId); |
|
2449 ptrIapRecord1->LoadL(*cmdbSession); |
|
2450 |
|
2451 TUint32 secureId; |
|
2452 secureId = ptrIapRecord1->iAppSid; |
|
2453 LOG(Log::Printf(_L("CIPSecPolicyManagerHandler::CheckUMAL Secure id is = %d\n"), secureId)); |
|
2454 CleanupStack::PopAndDestroy(cmdbSession); |
|
2455 CleanupStack::PopAndDestroy(ptrIapRecord1); |
|
2456 TBool result = EFalse; |
|
2457 if(secureId == KGANAppSid) |
|
2458 { |
|
2459 LOG(Log::Printf(_L("\n Exception added to the selector "))); |
|
2460 result = ETrue; |
|
2461 } |
|
2462 else |
|
2463 { |
|
2464 LOG(Log::Printf(_L(" No Exception added \n"))); |
|
2465 } |
|
2466 return result; |
|
2467 } |
|
2468 |
|
2469 /** |
|
2470 *This method to check the exception. |
|
2471 **/ |
|
2472 void CIPSecPolicyManagerHandler::CheckUMAEXception(TUint32 aVpnNetId) |
|
2473 { |
|
2474 LOG(Log::Printf(_L("CIPSecPolicyManagerHandler::CheckUMAEXception Entry \n"))); |
|
2475 TUint32 aIapId; |
|
2476 SearchIAPIdL(aVpnNetId, aIapId); |
|
2477 iCurrentException = CheckUMAL(aIapId); |
|
2478 LOG(Log::Printf(_L("CIPSecPolicyManagerHandler::CheckUMAEXception Exit \n"))); |
|
2479 } |
|
2480 |
|
2481 |