@@ -50,7 +50,6 @@

 #include "ipsec.h"

 #include "spi_gen.h"

-#include "port_gen.h"

 #include "cmd.h"

 #include "sec_agree.h"

@@ -351,57 +350,26 @@ static int update_contact_ipsec_params(ipsec_t* s, const struct sip_msg* m, ipse

     s->ik.len = ik.len;

     // Generate SPI

-    if((s->spi_pc = acquire_spi()) == 0) {

-        LM_ERR("Error generating client SPI for IPSEC tunnel creation\n");

-        shm_free(s->ck.s);

-        s->ck.s = NULL; s->ck.len = 0;

-        shm_free(s->ik.s);

-        s->ik.s = NULL; s->ik.len = 0;

-        return -1;

+    if(s_old) {

+        if(s_old->spi_pc && s_old->spi_ps && s_old->port_pc && s_old->port_ps) {

+            LM_INFO("Reusing IPSEC tunnel\n");

+            s->spi_pc = s_old->spi_pc;

+            s->spi_ps = s_old->spi_ps;

+            s->port_pc = s_old->port_pc;

+            s->port_ps = s_old->port_ps;

+            return 0;

+        }

     }

-    if((s->spi_ps = acquire_spi()) == 0) {

-        LM_ERR("Error generating server SPI for IPSEC tunnel creation\n");

+    if(acquire_spi(&s->spi_pc, &s->spi_ps, &s->port_pc, &s->port_ps) == 0) {

+        LM_ERR("Error generating client SPI for IPSEC tunnel creation\n");

         shm_free(s->ck.s);

         s->ck.s = NULL; s->ck.len = 0;

         shm_free(s->ik.s);

         s->ik.s = NULL; s->ik.len = 0;

-

-		release_spi(s->spi_pc);

         return -1;

     }

-    if((s->port_pc = acquire_cport()) == 0){

-        LM_ERR("No free client port for IPSEC tunnel creation\n");

-		shm_free(s->ck.s);

-		s->ck.s = NULL; s->ck.len = 0;

-		shm_free(s->ik.s);

-		s->ik.s = NULL; s->ik.len = 0;

-

-		release_spi(s->spi_pc);

-		release_spi(s->spi_ps);

-        return -1;

-    }

-

-	// use the same P-CSCF server port if it is present

-	if(s_old){

-		s->port_ps = s_old->port_ps;

-	}else{

-		if((s->port_ps = acquire_sport()) == 0){

-			LM_ERR("No free server port for IPSEC tunnel creation\n");

-			shm_free(s->ck.s);

-			s->ck.s = NULL; s->ck.len = 0;

-			shm_free(s->ik.s);

-			s->ik.s = NULL; s->ik.len = 0;

-

-			release_cport(s->port_pc);

-

-			release_spi(s->spi_pc);

-			release_spi(s->spi_ps);

-			return -1;

-		}

-	}

-

 	return 0;

 }

@@ -508,12 +476,7 @@ static int destroy_ipsec_tunnel(str remote_addr, ipsec_t* s, unsigned short rece

     remove_policy(sock, remote_addr, ipsec_addr, s->port_us, s->port_pc, s->spi_pc, ip_addr.af, IPSEC_POLICY_DIRECTION_IN);

     // Release SPIs

-    release_spi(s->spi_pc);

-    release_spi(s->spi_ps);

-

-    // Release the client and the server ports

-    release_cport(s->port_pc);

-    release_sport(s->port_ps);

+    release_spi(s->spi_pc, s->spi_ps, s->port_pc, s->port_ps);

     close_mnl_socket(sock);

     return 0;

@@ -692,74 +655,69 @@ int ipsec_create(struct sip_msg* m, udomain_t* d, int _cflags)

     struct sip_msg* req = t->uas.request;

+    // Parse security parameters from the REGISTER request and get some data for the new tunnels

+    security_t* req_sec_params = cscf_get_security(req);

+    ipsec_t* s;

+    ipsec_t* old_s = NULL;

+

     // Update contacts only for initial registration, for re-registration the existing contacts shouldn't be updated.

     if(ci.via_port == SIP_PORT){

         LM_DBG("Registration for contact with AOR [%.*s], VIA [%d://%.*s:%d], received_host [%d://%.*s:%d]\n",

                 ci.aor.len, ci.aor.s, ci.via_prot, ci.via_host.len, ci.via_host.s, ci.via_port,

                 ci.received_proto, ci.received_host.len, ci.received_host.s, ci.received_port);

-        ipsec_t* s = pcontact->security_temp->data.ipsec;

+        if(req_sec_params == NULL)

+            s = pcontact->security_temp->data.ipsec;

+        else

+            s = req_sec_params->data.ipsec;

+    }else{

+        LM_DBG("RE-Registration for contact with AOR [%.*s], VIA [%d://%.*s:%d], received_host [%d://%.*s:%d]\n",

+                ci.aor.len, ci.aor.s, ci.via_prot, ci.via_host.len, ci.via_host.s, ci.via_port,

+                ci.received_proto, ci.received_host.len, ci.received_host.s, ci.received_port);

-		// for initial Registration use a new P-CSCF server port

-        if(update_contact_ipsec_params(s, m, NULL) != 0) {

+        if(req_sec_params == NULL) {

+            LM_CRIT("No security parameters in REGISTER request\n");

             goto cleanup;

         }

-        if(create_ipsec_tunnel(&req->rcv.src_ip, s) != 0){

-            goto cleanup;

-        }

+        s = req_sec_params->data.ipsec;

+        old_s = (ipsec_reuse_server_port && pcontact->security_temp) ? pcontact->security_temp->data.ipsec : NULL;

+    }

-        if (ul.update_pcontact(d, &ci, pcontact) != 0){

-            LM_ERR("Error updating contact\n");

-            goto cleanup;

-        }

+    if(update_contact_ipsec_params(s, m, old_s) != 0) {

+        goto cleanup;

+    }

+    if(create_ipsec_tunnel(&req->rcv.src_ip, s) != 0){

+        goto cleanup;

+    }

+

+    if (ul.update_pcontact(d, &ci, pcontact) != 0){

+        LM_ERR("Error updating contact\n");

+        goto cleanup;

+    }

+

+    if(ci.via_port == SIP_PORT){

         // Update temp security parameters

         if(ul.update_temp_security(d, pcontact->security_temp->type, pcontact->security_temp, pcontact) != 0){

             LM_ERR("Error updating temp security\n");

         }

+    }

-        if(add_supported_secagree_header(m) != 0) {

-            goto cleanup;

-        }

-        if(add_security_server_header(m, s) != 0) {

-            goto cleanup;

-        }

+    if(add_supported_secagree_header(m) != 0) {

+        goto cleanup;

+    }

+    if(add_security_server_header(m, s) != 0) {

+        goto cleanup;

+    }

+

+    if(ci.via_port == SIP_PORT){

         if(ul.register_ulcb(pcontact, PCSCF_CONTACT_EXPIRE|PCSCF_CONTACT_DELETE, ipsec_on_expire, (void*)&pcontact->received_port) != 1) {

             LM_ERR("Error subscribing for contact\n");

             goto cleanup;

         }

-    }else{

-        LM_DBG("RE-Registration for contact with AOR [%.*s], VIA [%d://%.*s:%d], received_host [%d://%.*s:%d]\n",

-                ci.aor.len, ci.aor.s, ci.via_prot, ci.via_host.len, ci.via_host.s, ci.via_port,

-                ci.received_proto, ci.received_host.len, ci.received_host.s, ci.received_port);

-        

-        security_t* req_sec_params = NULL;

-

-        // Parse security parameters from the REGISTER request and get some data for the new tunnels

-        if((req_sec_params = cscf_get_security(req)) == NULL) {

-            LM_CRIT("No security parameters in REGISTER request\n");

-            goto cleanup;

-        }

-

-		// for Re-Registration use the same P-CSCF server port if 'ipsec reuse server port' is enabled

-        if(update_contact_ipsec_params(req_sec_params->data.ipsec, m, ipsec_reuse_server_port ? pcontact->security_temp->data.ipsec : NULL) != 0) {

-            goto cleanup;

-        }

-

-        if(create_ipsec_tunnel(&req->rcv.src_ip, req_sec_params->data.ipsec) != 0){

-            goto cleanup;

-        }

-

-        if(add_supported_secagree_header(m) != 0) {

-            goto cleanup;

-        }

-

-        if(add_security_server_header(m, req_sec_params->data.ipsec) != 0) {

-            goto cleanup;

-        }

     }

     ret = IPSEC_CMD_SUCCESS;    // all good, set ret to SUCCESS, and exit

@@ -1004,10 +962,9 @@ int ipsec_reconfig()

 		return 0;

 	}

-	clean_spi_list();

-	clean_port_lists();

-

-	LM_DBG("Clean all ipsec tunnels\n");

+	if(clean_spi_list() != 0) {

+		return 1;

+	}

 	return ipsec_cleanall();

 }

@@ -82,7 +82,7 @@ modparam("ims_ipsec_pcscf", "ipsec_listen_addr6", "")

     <section>

       <title><varname>ipsec_client_port</varname> (int)</title>

-      <para>Start port number which will be bound for incoming (server) IPSec traffic.</para>

+      <para>Port number which will be bound for incoming (server) IPSec traffic.</para>

       <para><emphasis>Default value is 5062.</emphasis></para>

@@ -100,7 +100,7 @@ modparam("ims_ipsec_pcscf", "ipsec_client_port", 5062)

     <section>

       <title><varname>ipsec_server_port</varname> (int)</title>

-      <para>Start port number which will be bound for incoming (server) IPSec traffic.</para>

+      <para>Port number which will be bound for incoming (server) IPSec traffic.</para>

       <para><emphasis>Default value is 5063.</emphasis></para>

@@ -118,9 +118,7 @@ modparam("ims_ipsec_pcscf", "ipsec_server_port", 5063)

     <section>

       <title><varname>ipsec_max_connections</varname> (int)</title>

-      <para>Maximum IPSec connections for the process. E.g. if ipsec_client_port=5100, ipsec_server_port=6100 and

-      ipsec_max_connections=10, all client ports between 5100 and 5109 and all server ports between 6100 and 6109

-      will be used for maximum to 10 IPSec connections.</para>

+      <para>Maximum simultanious IPSec connections</para>

       <para><emphasis>Default value is 2.</emphasis></para>

@@ -138,11 +136,9 @@ modparam("ims_ipsec_pcscf", "ipsec_max_connections", 10)

     <section>

       <title><varname>ipsec_reuse_server_port</varname> (int)</title>

-      <para>Reuse (1) or not (0) the P-CSCF Server port for Re-registration for one UA.

-      When set to 0 - During Re-registration P-CSCF will distribute new P-CSCF client and

-      P-CSCF server ports.

-      When set to 1 - During Re-registration P-CSCF will reuse the old P-CSCF server port and

-      will distribute a new P-CSCF client port.</para>

+      <para>Reuse (1) or not (0) the P-CSCF IPSec information for Re-registration for one UA.

+      When set to 0 - During Re-registration P-CSCF will create new IPSec tunnels.

+      When set to 1 - During Re-registration P-CSCF will reuse the old IPSec tunnels.</para>

       <para><emphasis>Default value is 1.</emphasis></para>

@@ -192,6 +188,40 @@ modparam("ims_ipsec_pcscf", "ipsec_spi_id_start", 100)

         <programlisting format="linespecific">

 ...

 modparam("ims_ipsec_pcscf", "ipsec_spi_id_range", 1000)

+...

+        </programlisting>

+      </example>

+    </section>

+

+    <section>

+      <title><varname>ipsec_preferred_alg</varname> (string)</title>

+

+      <para>A name of an authentication algorithm which the Proxy-CSCF will <emphasis>prefer</emphasis> when creating IPSec tunnels.</para>

+      <para><emphasis>Default value is empty string (null) - the last algorithm in the Sec-Agree header will be used.</emphasis></para>

+

+      <example>

+        <title><varname>ipsec_preferred_alg</varname> parameter usage</title>

+

+        <programlisting format="linespecific">

+...

+modparam("ims_ipsec_pcscf", "ipsec_preferred_alg", "hmac-sha-1-96")

+...

+        </programlisting>

+      </example>

+    </section>

+

+    <section>

+      <title><varname>ipsec_preferred_ealg</varname> (string)</title>

+

+      <para>A name of an encrytion algorithm which the Proxy-CSCF will <emphasis>prefer</emphasis> when creating IPSec tunnels.</para>

+      <para><emphasis>Default value is empty string (null) - the last algorithm in the Sec-Agree header will be used. Note that the possibility of it being the "null" algorithm is not insignificant.</emphasis></para>

+

+      <example>

+        <title><varname>ipsec_preferred_ealg</varname> parameter usage</title>

+

+        <programlisting format="linespecific">

+...

+modparam("ims_ipsec_pcscf", "ipsec_preferred_ealg", "aes-cbc")

 ...

         </programlisting>

       </example>

@@ -28,8 +28,6 @@

 #include "cmd.h"

 #include "spi_gen.h"

-#include "port_gen.h"

-

 MODULE_VERSION

@@ -45,6 +43,8 @@ int ipsec_reuse_server_port = 1;

 int ipsec_max_connections = 2;

 int spi_id_start = 100;

 int spi_id_range = 1000;

+str ipsec_preferred_alg= STR_NULL;

+str ipsec_preferred_ealg= STR_NULL;

 int xfrm_user_selector = 143956232;

 ip_addr_t ipsec_listen_ip_addr;

@@ -92,6 +92,8 @@ static param_export_t params[] = {

 	{"ipsec_max_connections",	INT_PARAM, &ipsec_max_connections	},

 	{"ipsec_spi_id_start",		INT_PARAM, &spi_id_start			},

 	{"ipsec_spi_id_range",		INT_PARAM, &spi_id_range			},

+	{"ipsec_preferred_alg",		PARAM_STR, &ipsec_preferred_alg		},

+	{"ipsec_preferred_ealg",	PARAM_STR, &ipsec_preferred_ealg	},

 	{0, 0, 0}

 };

@@ -302,16 +304,11 @@ static int mod_init(void) {

 	}

 	int res = 0;

-	if((res = init_spi_gen(spi_id_start, spi_id_range)) != 0) {

+    if((res = init_spi_gen(spi_id_start, spi_id_range, ipsec_server_port, ipsec_client_port, ipsec_max_connections)) != 0) {

 		LM_ERR("Error initialising spi generator. Error: %d\n", res);

 		return -1;

 	}

-	if((res = init_port_gen(ipsec_server_port, ipsec_client_port, ipsec_max_connections)) != 0) {

-		LM_ERR("Error initialising port generator. Error: %d\n", res);

-		return -1;

-	}

-

 	init_flag = 1;

 	return 0;

@@ -327,9 +324,6 @@ static void mod_destroy(void)

 		LM_ERR("Error destroying spi generator\n");

 	}

-	if(destroy_port_gen() != 0){

-		LM_ERR("Error destroying port generator\n");

-	}

 }

 static int child_init(int rank)

@@ -24,7 +24,6 @@

 #include "ipsec.h"

 #include "spi_gen.h"

-#include "port_gen.h"

 #include "../../core/dprint.h"

 #include "../../core/mem/pkg.h"

@@ -198,27 +197,19 @@ int add_sa(struct mnl_socket* nl_sock, const struct ip_addr *src_addr_param, con

     // add encription algorithm for this SA

     l_enc_algo = (struct xfrm_algo *)l_enc_algo_buf;

-    // cipher_null, des,  des3_ede, aes

-    strcpy(l_enc_algo->alg_name,"cipher_null");

     if (strncasecmp(r_ealg.s,"aes-cbc",r_ealg.len) == 0) {

-        LM_DBG("Creating security associations: AES\n");

         strcpy(l_enc_algo->alg_name,"aes");

         l_enc_algo->alg_key_len = ck.len * 4;

         string_to_key(l_enc_algo->alg_key, ck);

     }

     else if (strncasecmp(r_ealg.s,"des-ede3-cbc",r_ealg.len) == 0) {

-        LM_DBG("Creating security associations: DES, ck.len=%d\n",ck.len);

         strcpy(l_enc_algo->alg_name,"des3_ede");

-        str ck1;

-        ck1.s = pkg_malloc (128);

-        strncpy(ck1.s,ck.s,32);

-        strncat(ck1.s,ck.s,16);

-        ck1.len=32+16;

-

-        l_enc_algo->alg_key_len = ck1.len * 4;

-        string_to_key(l_enc_algo->alg_key, ck1);

-

-        pkg_free(ck1.s);

+        l_enc_algo->alg_key_len = ck.len * 4;

+        string_to_key(l_enc_algo->alg_key, ck);

+    } else {

+        // set default algorithm to null

+        strcpy(l_enc_algo->alg_name,"cipher_null");

+    	l_enc_algo->alg_key_len = 0;

     }

     mnl_attr_put(l_nlh, XFRMA_ALG_CRYPT, sizeof(struct xfrm_algo) + l_enc_algo->alg_key_len, l_enc_algo);

@@ -814,13 +805,7 @@ static int delete_unused_sa_cb(const struct nlmsghdr *nlh, void *data)

     // NOTE: Release the Proxy SPIs and Ports only here. Do not release the same SPIs and ports in delete unsused policy callback.

     // Release SPIs

-    release_spi(ipsec.spi_pc);

-    release_spi(ipsec.spi_ps);

-

-    // Release the client and the server ports

-    release_cport(ipsec.port_pc);

-    release_sport(ipsec.port_ps);

-

+    release_spi(ipsec.spi_pc, ipsec.spi_ps, ipsec.port_pc, ipsec.port_ps);

     return MNL_CB_OK;

 }

deleted file mode 100644

@@ -1,227 +0,0 @@

-/*

- * IMS IPSEC PCSCF module

- *

- * Copyright (C) 2018 Tsvetomir Dimitrov

- * Copyright (C) 2019 Aleksandar Yosifov

- *

- * This file is part of Kamailio, a free SIP server.

- *

- * Kamailio is free software; you can redistribute it and/or modify

- * it under the terms of the GNU General Public License as published by

- * the Free Software Foundation; either version 2 of the License, or

- * (at your option) any later version

- *

- * Kamailio is distributed in the hope that it will be useful,

- * but WITHOUT ANY WARRANTY; without even the implied warranty of

- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

- * GNU General Public License for more details.

- *

- * You should have received a copy of the GNU General Public License

- * along with this program; if not, write to the Free Software

- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA

- *

- */

-

-#include "spi_gen.h"

-#include "spi_list.h"

-#include <pthread.h>

-#include "../../core/mem/shm_mem.h"

-

-typedef struct port_generator{

-	pthread_mutex_t	sport_mut;		// server port mutex

-	pthread_mutex_t	cport_mut;		// client port mutex

-	spi_list_t		used_sports;	// list with used server ports

-	spi_list_t		used_cports;	// list with used client ports

-	uint32_t		sport_val;		// the last acquired server port

-	uint32_t		cport_val;		// the last acquired client port

-	uint32_t		min_sport;

-	uint32_t		min_cport;

-	uint32_t		max_sport;

-	uint32_t		max_cport;

-} port_generator_t;

-

-port_generator_t* port_data = NULL;

-

-int init_port_gen(uint32_t sport_start_val, uint32_t cport_start_val, uint32_t range)

-{

-    if(sport_start_val < 1 || cport_start_val < 1){

-        return 1;

-    }

-

-    if((UINT32_MAX - range < sport_start_val) || (UINT32_MAX - range < cport_start_val)){

-        return 2;

-    }

-

-	if(port_data){

-		return 3;

-	}

-

-	port_data = shm_malloc(sizeof(port_generator_t));

-	if(port_data == NULL){

-		return 4;

-	}

-

-	if(pthread_mutex_init(&port_data->sport_mut, NULL)){

-		shm_free(port_data);

-		return 5;

-	}

-

-	if(pthread_mutex_init(&port_data->cport_mut, NULL)){

-		pthread_mutex_destroy(&port_data->sport_mut);

-		shm_free(port_data);

-		return 6;

-	}

-

-	port_data->used_sports = create_list();

-	port_data->used_cports = create_list();

-

-	port_data->sport_val = port_data->min_sport = sport_start_val;

-	port_data->cport_val = port_data->min_cport = cport_start_val;

-	port_data->max_sport = sport_start_val + range;

-	port_data->max_cport = cport_start_val + range;

-

-    return 0;

-}

-

-uint32_t acquire_port(spi_list_t* used_ports, pthread_mutex_t* port_mut, uint32_t* port_val, uint32_t min_port, uint32_t max_port)

-{

-	//save the initial value for the highly unlikely case where there are no free PORTs

-    uint32_t initial_val = *port_val;

-    uint32_t ret = 0; // by default return invalid port

-

-    if(pthread_mutex_lock(port_mut) != 0) {

-        return ret;

-    }

-

-    while(1){

-        if(spi_in_list(used_ports, *port_val) == 0) {

-            ret = *port_val;

-            (*port_val)++;

-

-			if(*port_val >= max_port) { //reached the top of the range - reset

-				*port_val = min_port;

-			}

-

-            break;

-        }

-

-        (*port_val)++; //the current server port is not available - increment

-

-        if(*port_val >= max_port) { //reached the top of the range - reset

-            *port_val = min_port;

-        }

-

-        if(*port_val == initial_val) { //there are no free server ports

-            pthread_mutex_unlock(port_mut);

-            return ret;

-        }

-    }

-

-    // found unused server port - add it to the used list

-    if(spi_add(used_ports, ret) != 0) {

-        ret = 0;

-    }

-

-    pthread_mutex_unlock(port_mut);

-    return ret;

-}

-

-uint32_t acquire_sport()

-{

-	if(!port_data){

-		return 0;

-	}

-

-	return acquire_port(&port_data->used_sports, &port_data->sport_mut, &port_data->sport_val, port_data->min_sport, port_data->max_sport);

-}

-

-uint32_t acquire_cport()

-{

-	if(!port_data){

-		return 0;

-	}

-

-	return acquire_port(&port_data->used_cports, &port_data->cport_mut, &port_data->cport_val, port_data->min_cport, port_data->max_cport);

-}

-

-int release_sport(uint32_t port)

-{

-	if(!port_data){

-		return 1;

-	}

-

-	if(pthread_mutex_lock(&port_data->sport_mut) != 0){

-        return 1;

-    }

-

-	spi_remove(&port_data->used_sports, port);

-

-	pthread_mutex_unlock(&port_data->sport_mut);

-    return 0;

-}

-

-int release_cport(uint32_t port)

-{

-	if(!port_data){

-		return 1;

-	}

-

-	if(pthread_mutex_lock(&port_data->cport_mut) != 0){

-        return 1;

-    }

-

-	spi_remove(&port_data->used_cports, port);

-

-	pthread_mutex_unlock(&port_data->cport_mut);

-    return 0;

-}

-

-int clean_port_lists()

-{

-	if(!port_data){

-		return 1;

-	}

-

-	if(pthread_mutex_lock(&port_data->sport_mut) != 0){

-		return 1;

-	}

-

-	destroy_list(&port_data->used_sports);

-

-	pthread_mutex_unlock(&port_data->sport_mut);

-

-	if(pthread_mutex_lock(&port_data->cport_mut) != 0){

-		return 1;

-	}

-

-	destroy_list(&port_data->used_cports);

-

-	pthread_mutex_unlock(&port_data->cport_mut);

-

-	return 0;

-}

-

-int destroy_port_gen()

-{

-	if(!port_data){

-		return 1;

-	}

-

-	int ret;

-

-	destroy_list(&port_data->used_sports);

-	destroy_list(&port_data->used_cports);

-

-	port_data->sport_val = port_data->min_sport;

-	port_data->cport_val = port_data->min_cport;

-

-	ret = pthread_mutex_destroy(&port_data->sport_mut);

-    if(ret != 0){

-		shm_free(port_data);

-        return ret;

-    }

-

-	ret = pthread_mutex_destroy(&port_data->cport_mut);

-	shm_free(port_data);

-	return ret;

-}

deleted file mode 100644

@@ -1,41 +0,0 @@

-/*

- * IMS IPSEC PCSCF module

- *

- * Copyright (C) 2018 Tsvetomir Dimitrov

- * Copyright (C) 2019 Aleksandar Yosifov

- *

- * This file is part of Kamailio, a free SIP server.

- *

- * Kamailio is free software; you can redistribute it and/or modify

- * it under the terms of the GNU General Public License as published by

- * the Free Software Foundation; either version 2 of the License, or

- * (at your option) any later version

- *

- * Kamailio is distributed in the hope that it will be useful,

- * but WITHOUT ANY WARRANTY; without even the implied warranty of

- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

- * GNU General Public License for more details.

- *

- * You should have received a copy of the GNU General Public License

- * along with this program; if not, write to the Free Software

- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA

- *

- */

-

-#ifndef _SPI_GEN_H_

-

-#include <stdint.h>

-

-//

-// PORT GEN is based on SPI list, because the logics of the SPI gen and PORT gen are basically the same.

-// It is used as an unique port generator for the TCP client and server ports.

-

-int init_port_gen(uint32_t sport_start_val, uint32_t cport_start_val, uint32_t range);

-int clean_port_lists();

-int destroy_port_gen();

-uint32_t acquire_sport(); // acquare server port

-uint32_t acquire_cport(); // acquare client port

-int release_sport(uint32_t port); // release server port

-int release_cport(uint32_t port); // release client port

-

-#endif /*  _SPI_GEN_H_ */

@@ -25,6 +25,9 @@

 #include "../../core/parser/msg_parser.h"

 #include "../../core/mem/mem.h"

+extern str ipsec_preferred_alg;

+extern str ipsec_preferred_ealg;

+

 static uint32_t parse_digits(str value)

 {

     uint32_t ret = 0;

@@ -68,13 +71,17 @@ static void trim_whitespaces(str* string) {

         DST.len = SRC.len;

-static int process_sec_agree_param(str name, str value, ipsec_t *ret)

+static int process_sec_agree_param(str name, str value, ipsec_t *ret, char *alg_found, char *ealg_found)

 {

     trim_whitespaces(&name);

     trim_whitespaces(&value);

     if(strncasecmp(name.s, "alg", name.len) == 0) {

         SEC_COPY_STR_PARAM(ret->r_alg, value);

+

+        if(ipsec_preferred_alg.len && STR_EQ(value, ipsec_preferred_alg)) {

+            *alg_found = 1;

+        }

     }

     else if(strncasecmp(name.s, "prot", name.len) == 0) {

         SEC_COPY_STR_PARAM(ret->prot, value);

@@ -84,6 +91,10 @@ static int process_sec_agree_param(str name, str value, ipsec_t *ret)

     }

     else if(strncasecmp(name.s, "ealg", name.len) == 0) {

         SEC_COPY_STR_PARAM(ret->r_ealg, value);

+

+        if(ipsec_preferred_ealg.len && STR_EQ(value, ipsec_preferred_ealg)) {

+            *ealg_found = 1;

+        }

     }

     else if(strncasecmp(name.s, "spi-c", name.len) == 0) {

         ret->spi_uc = parse_digits(value);

@@ -157,11 +168,14 @@ static security_t* parse_sec_agree(struct hdr_field* h)

     body.s=body.s+i+1;

     body.len=body.len-i-1;

+    char preferred_alg_found  = 0;

+    char preferred_ealg_found = 0;

+

     // get the rest of the parameters

     i = 0;

     while(i <= body.len) {

         //look for end of buffer or parameter separator

-        if(i == body.len || body.s[i] == ';' ) {

+        if(i == body.len || body.s[i] == ';' || body.s[i] == ',' || body.s[i] == ' ') {

             if(name.len) {

                 // if(name.len) => a param name is parsed

                 // and now i points to the end of its value

@@ -176,9 +190,25 @@ static security_t* parse_sec_agree(struct hdr_field* h)

             i=0;

             if(name.len && value.len) {

-                if(process_sec_agree_param(name, value, params->data.ipsec)) {

+                if(strncasecmp(name.s, "alg", name.len) == 0) {

+                    if(preferred_alg_found && preferred_ealg_found) {

+                        break;

+                    }

+                    preferred_alg_found = 0;

+                    preferred_ealg_found = 0;

+                }

+ 

+                char alg_found  = 0;

+                char ealg_found = 0;

+                if(process_sec_agree_param(name, value, params->data.ipsec, &alg_found, &ealg_found)) {

                     goto cleanup;

                 }

+                if(alg_found) {

+                    preferred_alg_found = 1;

+                }

+                if(ealg_found) {

+                    preferred_ealg_found = 1;

+                }

             }

             //else - something's wrong. Ignore!

@@ -26,23 +26,65 @@

 #include <pthread.h>

 #include "../../core/mem/shm_mem.h"

+#define MAX_HASH_SPI 10000

+

 typedef struct spi_generator{

 	pthread_mutex_t	spis_mut;

-	spi_list_t		used_spis;

+	spi_list_t	used_spis[MAX_HASH_SPI];

+	spi_list_t	free_spi;

 	uint32_t		spi_val;

 	uint32_t		min_spi;

 	uint32_t		max_spi;

+	uint32_t		sport_start_val;

+	uint32_t		cport_start_val;

+	uint32_t		port_range;

 } spi_generator_t;

 spi_generator_t* spi_data = NULL;

-int init_spi_gen(uint32_t start_val, uint32_t range)

+static int init_free_spi()

 {

-    if(start_val < 1) {

+	uint32_t sport_start_val, cport_start_val, port_range, sport, cport, j;

+

+	if(!spi_data) {

+		return 1;

+	}

+

+	sport_start_val = spi_data->sport_start_val;

+	cport_start_val = spi_data->cport_start_val;

+	port_range = spi_data->port_range;

+	//save the initial value for the highly unlikely case where there are no free SPIs

+	sport = sport_start_val;

+	cport = cport_start_val;

+

+	spi_data->free_spi = create_list();

+	for(j = spi_data->min_spi; j < spi_data->max_spi; j+=2)

+	{

+		spi_add(&spi_data->free_spi, j, j+1, cport, sport);

+		cport++;

+		sport++;

+

+		if(cport >= cport_start_val + port_range) {

+			cport = cport_start_val;

+		}

+

+		if(sport >= sport_start_val + port_range) {

+			sport = sport_start_val;

+		}

+	}

+

+	return 0;

+}

+

+int init_spi_gen(uint32_t spi_start_val, uint32_t spi_range, uint32_t sport_start_val, uint32_t cport_start_val, uint32_t port_range)

+{

+    uint32_t j;

+

+    if(spi_start_val < 1) {

         return 1;

     }

-    if(UINT32_MAX - range < start_val) {

+    if(UINT32_MAX - spi_range < spi_start_val) {

         return 2;

     }

@@ -64,67 +106,60 @@ int init_spi_gen(uint32_t start_val, uint32_t range)

 		return 6;

 	}

-    spi_data->used_spis = create_list();

+    for(j = 0; j < MAX_HASH_SPI; j++) {

+        spi_data->used_spis[j] = create_list();

+    }

+

+    spi_data->spi_val  = spi_data->min_spi = spi_start_val;

+    spi_data->max_spi  = spi_start_val + spi_range;

+    spi_data->sport_start_val = sport_start_val;

+    spi_data->cport_start_val = cport_start_val;

+    spi_data->port_range = port_range;

-    spi_data->spi_val = spi_data->min_spi = start_val;

-    spi_data->max_spi = start_val + range;

+	if(init_free_spi() != 0) {

+		return 7;

+	}

 	pthread_mutex_unlock(&spi_data->spis_mut);

     return 0;

 }

-uint32_t acquire_spi()

+uint32_t acquire_spi(uint32_t* spi_cid, uint32_t* spi_sid, uint16_t* cport, uint16_t* sport)

 {

 	if(!spi_data){

+		LM_ERR("spi_data is NULL\n");

 		return 0;

 	}