diff -r abbed5a4b42a -r 8d540f55e491 networksecurity/ipsec/ipsecpol/src/ipsecpolmanhandler.cpp --- a/networksecurity/ipsec/ipsecpol/src/ipsecpolmanhandler.cpp Tue Aug 31 16:45:15 2010 +0300 +++ b/networksecurity/ipsec/ipsecpol/src/ipsecpolmanhandler.cpp Wed Sep 01 12:33:58 2010 +0100 @@ -1,4 +1,4 @@ -// Copyright (c) 2005-2009 Nokia Corporation and/or its subsidiary(-ies). +// Copyright (c) 2005-2010 Nokia Corporation and/or its subsidiary(-ies). // All rights reserved. // This component and the accompanying materials are made available // under the terms of "Eclipse Public License v1.0" @@ -28,11 +28,19 @@ #include "ipsecpolparser.h" #include "secpolreader.h" +#include +#include +#include +#include + #define FIRST_ARGUMENT 0 #define SECOND_ARGUMENT 1 #define THIRD_ARGUMENT 2 #define FOURTH_ARGUMENT 3 +const TUint KAppSidDefault = 0xFFFFFFFF; +const TUint32 KGANAppSid = 0x2002E241; + // // Create IPSecPolicyManagerHandler object // @@ -65,6 +73,9 @@ iPreloadPolicyHandle.iHandle = 0; + CheckFeatureSupportL(NFeature::KFeatureIdFfIpsecUmaSupportEnable); + + iAppSid = KAppSidDefault; #ifdef TESTFLAG @@ -74,7 +85,6 @@ ReadAlgorithmsFileL(); iSelectorInfoArray = new (ELeave) CArrayFixFlat (2); - } // @@ -174,6 +184,24 @@ iSelectorInfoArray = NULL; } +/** + * To check the feature support + */ +void CIPSecPolicyManagerHandler::CheckFeatureSupportL(TUid aFeature) + { + // Check Gan support from feature manager + TRAPD(err,iIPSecGANSupported = CFeatureDiscovery::IsFeatureSupportedL(aFeature)); + + if(KErrNone != err) + { + LOG(Log::Printf(_L("CIPSecPolicyManagerHandler::CheckFeatureSupport Error Checking Feature Support %d"),err)); + } + else + { + LOG(Log::Printf(_L("CIPSecPolicyManagerHandler::CheckFeatureSupport %d Feature Supported %d"),aFeature,iIPSecGANSupported)); + } + } + // // Release resources allocated for a call // @@ -272,7 +300,7 @@ TPckgpckgZoneInfoSet(zoneInfoSet); aMsg.ReadL(THIRD_ARGUMENT, pckgZoneInfoSet); } - iVPNNetId = 0; + iVPNNetId = 0; if (zoneInfoSet.iSelectorZone.iScope != KScopeNone) { iVPNNetId = zoneInfoSet.iSelectorZone.iId; @@ -282,10 +310,24 @@ { iGwNetId = zoneInfoSet.iEndPointZone.iId; } + LOG(Log::Printf(_L("LoadPolicy request VPN NetId: %d GW NetId: %d\n"), iVPNNetId, iGwNetId)); + if(iIPSecGANSupported) + { + LOG(Log::Printf(_L(" iIPSecGANSupported is true \n"))); - + TRAPD( err, CheckUMAEXception((TUint32)iVPNNetId)) + if( err != KErrNone) + { + LOG(Log::Printf(_L("NO UMA Exception \n"))); + } + else + { + LOG(Log::Printf(_L("UMA Exception is added \n"))); + } + } + // Parse the policy file from string format to the ipsecpolparser // class object format ParseCurrentPolicyL(); @@ -299,19 +341,92 @@ // the one that is attempted to be loaded. If so, return with error TInt activepolicyBypassDropMode; + //UMA support REQ 417-40027 + TBool flag_exception =EFalse; + // It is ok to compare with the first active policy. Every subsequent policy would have been compared against the first one + + /* FORMAT OF UMA POLICY + * remote 0.0.0.0 0.0.0.0 = { UMA_VPN_POLICY($SGW_IP_ADDRESS) } + * inbound = { } + * outbound = { } + */ + //Checking for exception loading. Exceptions are policies for USE CASES having conflict for loading of bypass + //and drop policy. UMA being an excetion should be allowed to load policy. It doesnt make sense not to start UMA. + if(iIPSecGANSupported) + { + flag_exception = CheckException(); + LOG(Log::Printf(_L("Is exception policy already activated= %d\n"), flag_exception)); + } + else + { + LOG(Log::Printf(_L("UMA/GAN not supported and exception policy activated status = %d\n"), flag_exception)); + } + //coverity[var_compare_op] //intentional null comparision if there is no policylist do nothing. if (iActivePolicyList && iActivePolicyList->Count()) { - //coverity[var_compare_op] - // It is ok to compare with the first active policy. Every subsequent policy would have been compared against the first one - activepolicyBypassDropMode = iActivePolicyList->At(0)->iBypassOrDropMode; + //UMA support REq417-40027 + if(iIPSecGANSupported) + { + if(flag_exception) + { + activepolicyBypassDropMode = iBypassOrDropMode; + } + else + { + activepolicyBypassDropMode = iActivePolicyList->At(0)->iBypassOrDropMode; + } + } + else + { + // It is ok to compare with the first active policy. Every subsequent policy would have been compared against the first one + //coverity[var_compare_op] + // It is ok to compare with the first active policy. Every subsequent policy would have been compared against the first one + activepolicyBypassDropMode = iActivePolicyList->At(0)->iBypassOrDropMode; + } + if((policyBypassDropMode == KDropMode && (( activepolicyBypassDropMode & KInboundBypass) || (activepolicyBypassDropMode & KOutboundBypass))) || (((policyBypassDropMode & KInboundBypass) || (policyBypassDropMode & KOutboundBypass)) && activepolicyBypassDropMode == KDropMode )) { - ErrorHandlingL (ESelectorConflict,0); + if(iIPSecGANSupported) + { + //should not Allow loading drop mode policy all the time + //condition for allowing drop mode policy loading are + //1) There should not be any other bypass policy loaded before. + //2) or loaded bypass policy is UMA bypass policy + + TBool allowDropLoad = ETrue; + for(int count = 0; count < iActivePolicyList->Count(); count++ ) + { + if((iActivePolicyList->At(count)->iBypassOrDropMode & KSymmetricBypass) &&(!(iActivePolicyList->At(count)->iException))) + { + //ipsec bypass policy is already loaded. + LOG(Log::Printf(_L("\n should not allow loading of drop policy \n"))); + allowDropLoad = EFalse; + break; + }//else do nothing + } + + if(allowDropLoad && (policyBypassDropMode == KDropMode)) + { + LOG(Log::Printf(_L("Allowing loading drop mode policy, with activated exception bypass\n"))); + } + else if((((policyBypassDropMode & KInboundBypass) || (policyBypassDropMode & KOutboundBypass)) && iCurrentException) && activepolicyBypassDropMode == KDropMode ) + { + LOG(Log::Printf(_L("Allowing loading exception bypass mode policy, with activated drop mode\n"))); + } + else + { + ErrorHandlingL (ESelectorConflict,0); + } + } + else + { + ErrorHandlingL (ESelectorConflict,0); + } } - } + } // Add VPNNetId to CPolicySelector and GwNetId to CSecpolBundleItem objects UpdateSelectorsAndTunnels(); @@ -344,6 +459,7 @@ ApiCallCompleted(); return KErrNone; } + // // @@ -389,9 +505,8 @@ iGwNetId = zoneInfoSet.iEndPointZone.iId; } - LOG(Log::Printf(_L("LoadPolicy request VPN NetId: %d GW NetId: %d\n"), + LOG(Log::Printf(_L("******LoadPolicy request VPN NetId: %d GW NetId: %d****\n"), iVPNNetId, iGwNetId)); - if (scopedLoad) { // Load BeforescopedLoadPolicies before @@ -527,11 +642,12 @@ { ErrorHandlingL(ret, 0 ); } - + LOG(Log::Printf(_L("::ActivatePolicy, request to parse all policies\n"))); // Parse all active policy files from string format // to IPSecPolParser class object formats ParseAllPolicyFilesL(); + LOG(Log::Printf(_L("::ActivatePolicy request to calculate combined\n"))); // Calculate the combined policy Bypass/Drop mode CalculateCombinedPolicyBypassDropMode(); @@ -554,6 +670,24 @@ ErrorHandlingL(ENoMemory, err); } + //UMA support REQ417-40027 + TBool flag_exception = EFalse; + if(iIPSecGANSupported) + { + flag_exception = CheckException(); + if(flag_exception || iCurrentException) + { + if(iBypassOrDropMode != KSymmetricBypass) + { + err = AddExceptionSelectors(); + if (err != KErrNone) + { + ErrorHandlingL(ENoMemory, err); + } + }//if symmetry + }//flag_exception + } + // Send the algorithms table and the string format policy file to // IPSec protocol component using Secpol socket SendAlgorithmsAndPolicyToIPSecL(_L("secpol6")); @@ -692,6 +826,20 @@ { ErrorHandlingL(ENoMemory, err); } +//UMA support + TBool flag_exception = EFalse; + if(iIPSecGANSupported) + { + flag_exception = CheckException(); + if(flag_exception) + { + LOG(Log::Printf(_L("::ProcessUnloadPolicy, Adding exception selectors"))); + if(iBypassOrDropMode != KSymmetricBypass) + { + AddExceptionSelectors(); + } + } + } // Send the algorithms table and the string format policy file to // IPSec protocol component using Secpol socket @@ -734,7 +882,9 @@ // Check if given policy contains 'drop_everything_else' rule // and add IKE, DHCP and MIPv4 bypass selectors if necessary - if (aBypassDropMode == KDropMode) + //UMA support REQ417-40027 + //DHCP selectors & IKE selectors should be added even when UMA is UP + if (aBypassDropMode == KDropMode ||(iIPSecGANSupported && iCurrentException)) { // Allow plain IKE negotiation packets. Write the bypass // selectors to the end of selector list, but they will @@ -753,10 +903,11 @@ ErrorHandlingL(ENoMemory, err); } } - - // Allow plain DHCP negotiation packets. Write bypass mode + //UMA support REQ417-40027 + TBool UMAFLAG = ETrue; + // Allow plain DHCP negotiation packets. Write bypass mode // selectors for DHCP ports (67, 68) to the end of selector list. - if (aFunction & KAddDhcpBypassSelectors) + if (aFunction & KAddDhcpBypassSelectors || (iIPSecGANSupported && UMAFLAG)) { TInt err = BuildDhcpProtocolString(iPolBfr); if (err != KErrNone) @@ -818,6 +969,11 @@ entry->iPolicyHandle.iHandle = iCurrentPolicyHandle.iHandle; entry->iPolicyBuf = iPolBfr; entry->iPolicyType = aPolType; + if(iIPSecGANSupported) + { + entry->iException = iCurrentException ; + } + iPolBfr = NULL; CleanupStack::PushL(entry->iPolicyBuf); @@ -1451,8 +1607,8 @@ if (autoloadListItem != NULL) { CleanupStack::PushL(autoloadListItem); - iScopedAutoloadPolicyPairs.AppendL(autoloadListItem); - CleanupStack::Pop(autoloadListItem); + iScopedAutoloadPolicyPairs.AppendL(autoloadListItem); + CleanupStack::Pop(autoloadListItem); } } @@ -2163,3 +2319,163 @@ return KErrNone; } + +//Checking excetion flags +TBool CIPSecPolicyManagerHandler::CheckException() + { + int count_=0; + TBool flag_exception = EFalse; + while(count_ < iActivePolicyList->Count()) + { + if(iActivePolicyList->At(count_)->iException) + { + LOG(Log::Printf(_L("::CheckException, Exception policy Activated"))); + flag_exception = ETrue; + break; + } + else + { + LOG(Log::Printf(_L(" Exception is not presnt iActivePolicyList->At(%d)"), count_)); + } + count_ ++; + } + return flag_exception; + + } + + +/** + *This method to find out the iapid from network id + *@param aNetId : network id + *@param aIapId : iapid + *@return void + */ + +void CIPSecPolicyManagerHandler::SearchIAPIdL( const TUint32& aNetId, + TUint32& aIapId ) + { + LOG(Log::Printf(_L("CIPSecPolicyManagerHandler::SearchIAPIdL Entry\n"))); + + CCommsDatabase* commsDatabase = CCommsDatabase::NewL(); + CleanupStack::PushL(commsDatabase); + + // Make hidden records visible + commsDatabase->ShowHiddenRecords(); + + // Open IAP table view by matching IAP_NETWORK Id + CCommsDbTableView* commsDbTableView = + commsDatabase->OpenViewMatchingUintLC( TPtrC( IAP ), + TPtrC( IAP_NETWORK ), + aNetId ); + + User::LeaveIfError( commsDbTableView->GotoFirstRecord() ); + + commsDbTableView->ReadUintL(TPtrC( COMMDB_ID ), aIapId ); + + LOG(Log::Printf(_L("CMPMCommsDatAccess::SearchIAPIdL - Found IAP IdId: = %d\n"),aIapId)); + + CleanupStack::PopAndDestroy(commsDbTableView); + CleanupStack::PopAndDestroy(commsDatabase); + + LOG(Log::Printf(_L("CIPSecPolicyManagerHandler::SearchIAPIdL Exit \n"))); + } + +/** + *This API call is to pass the sid or any other relevent information + *from other components to IPSec module. + * + *@param + *@param + *@return + */ + void CIPSecPolicyManagerHandler::SetOptL(const RMessage2& aMsg) + { + LOG(Log::Printf(_L("CIPSecPolicyManagerHandler::SetOptL\n"))); + //Read the option name from the RMessage + TUint optionName; + TPckg optionNamePkg(optionName) ; + aMsg.ReadL(FIRST_ARGUMENT, optionNamePkg); + //Read the option level from the RMessage + TUint optionLevel; + TPckg optionLevelPkg(optionLevel) ; + aMsg.ReadL(SECOND_ARGUMENT, optionLevelPkg); + LOG(Log::Printf(_L("option name = %d and option level is = %d \n"), iAppSid, optionLevel)); + //Read option value + HBufC8* optionValue; + TInt dataLen = aMsg.GetDesLength(THIRD_ARGUMENT); + optionValue = HBufC8::NewL(dataLen); + CleanupStack::PushL(optionValue); + TPtr8 optionValuePtr(optionValue->Des()); + aMsg.ReadL(THIRD_ARGUMENT, optionValuePtr); + + if(optionLevel == KOptionLevelDefault) + { + if(optionName == KOptionNameSid) + { + TLex8 lex(*optionValue); + TUint dataValue; + lex.Val(dataValue); + iAppSid = dataValue;//store the appsid value. + LOG(Log::Printf(_L("Application sid value is %d \n"), iAppSid)); + }//else donothing as of now + else + { + User::Leave(KErrArgument); + LOG(Log::Printf(_L(" \nwrong Name\n"))); + } + } + else + { + User::Leave(KErrArgument); + LOG(Log::Printf(_L(" Wrong option KOptionLevelDefault\n"))); + } + CleanupStack::PopAndDestroy(); + LOG(Log::Printf(_L("CIPSecPolicyManagerHandler::SetOptL\n"))); + } + +/** + *This method to check the exception. + **/ +TBool CIPSecPolicyManagerHandler::CheckUMAL(TUint32 aIapId) + { + CMDBSession* cmdbSession; + CCDIAPRecord* ptrIapRecord1; + ptrIapRecord1 = static_cast(CCDRecordBase::RecordFactoryL(KCDTIdIAPRecord)); + CleanupStack::PushL(ptrIapRecord1); + cmdbSession = CMDBSession::NewL(CMDBSession::LatestVersion()); + CleanupStack::PushL(cmdbSession); + cmdbSession->SetAttributeMask( ECDHidden | ECDPrivate ); + ptrIapRecord1->SetRecordId(aIapId); + ptrIapRecord1->LoadL(*cmdbSession); + + TUint32 secureId; + secureId = ptrIapRecord1->iAppSid; + LOG(Log::Printf(_L("CIPSecPolicyManagerHandler::CheckUMAL Secure id is = %d\n"), secureId)); + CleanupStack::PopAndDestroy(cmdbSession); + CleanupStack::PopAndDestroy(ptrIapRecord1); + TBool result = EFalse; + if(secureId == KGANAppSid) + { + LOG(Log::Printf(_L("\n Exception added to the selector "))); + result = ETrue; + } + else + { + LOG(Log::Printf(_L(" No Exception added \n"))); + } + return result; + } + +/** + *This method to check the exception. + **/ +void CIPSecPolicyManagerHandler::CheckUMAEXception(TUint32 aVpnNetId) + { + LOG(Log::Printf(_L("CIPSecPolicyManagerHandler::CheckUMAEXception Entry \n"))); + TUint32 aIapId; + SearchIAPIdL(aVpnNetId, aIapId); + iCurrentException = CheckUMAL(aIapId); + LOG(Log::Printf(_L("CIPSecPolicyManagerHandler::CheckUMAEXception Exit \n"))); + } + +