Fixed iax2 key rotation backwards compatibility

Turns key rotation back on by default.  Added bit into encryption IE to indicate whether or not key rotation is supported or not. If it is not supported then it is not enabled, which insures backwards compatibility.  This eliminates the need for the keyrotate option in iax.conf, so it has been removed. 

Review: http://reviewboard.digium.com/r/159/ 


git-svn-id: http://svn.digium.com/svn/asterisk/trunk@175597 f38db490-d61c-443f-a65b-d21fe96a405b

3 files changed, 23 insertions, 48 deletions

diff --git a/channels/chan_iax2.c b/channels/chan_iax2.c
index af05cb301..f08c03c53 100644
--- a/channels/chan_iax2.c
+++ b/channels/chan_iax2.c
@@ -375,9 +375,8 @@ enum iax2_flags {
 						     response, so that we've achieved a three-way handshake with
 						     them before sending voice or anything else*/
 	IAX_ALLOWFWDOWNLOAD =   (1 << 26),	/*!< Allow the FWDOWNL command? */
-	IAX_NOKEYROTATE =       (1 << 27),	/*!< Disable key rotation with encryption */
-	IAX_IMMEDIATE =		(1 << 28),      /*!< Allow immediate off-hook to extension s */
-	IAX_FORCE_ENCRYPT =	(1 << 29),      /*!< Forces call encryption, if encryption not possible hangup */
+	IAX_IMMEDIATE =		(1 << 27),      /*!< Allow immediate off-hook to extension s */
+	IAX_FORCE_ENCRYPT =	(1 << 28),      /*!< Forces call encryption, if encryption not possible hangup */
 };
 
 static int global_rtautoclear = 120;
@@ -1940,7 +1939,7 @@ static int __find_callno(unsigned short callno, unsigned short dcallno, struct s
 			iaxs[x]->pingid = iax2_sched_add(sched, ping_time * 1000, send_ping, (void *)(long)x);
 			iaxs[x]->lagid = iax2_sched_add(sched, lagrq_time * 1000, send_lagrq, (void *)(long)x);
 			iaxs[x]->amaflags = amaflags;
-			ast_copy_flags(iaxs[x], &globalflags, IAX_NOTRANSFER | IAX_TRANSFERMEDIA | IAX_USEJITTERBUF | IAX_FORCEJITTERBUF | IAX_NOKEYROTATE | IAX_FORCE_ENCRYPT);	
+			ast_copy_flags(iaxs[x], &globalflags, IAX_NOTRANSFER | IAX_TRANSFERMEDIA | IAX_USEJITTERBUF | IAX_FORCEJITTERBUF | IAX_FORCE_ENCRYPT);	
 			ast_string_field_set(iaxs[x], accountcode, accountcode);
 			ast_string_field_set(iaxs[x], mohinterpret, mohinterpret);
 			ast_string_field_set(iaxs[x], mohsuggest, mohsuggest);
@@ -3556,7 +3555,7 @@ static int create_addr(const char *peername, struct ast_channel *c, struct socka
 	if (peer->maxms && ((peer->lastms > peer->maxms) || (peer->lastms < 0)))
 		goto return_unref;
 
-	ast_copy_flags(cai, peer, IAX_SENDANI | IAX_TRUNK | IAX_NOTRANSFER | IAX_TRANSFERMEDIA | IAX_USEJITTERBUF | IAX_FORCEJITTERBUF | IAX_NOKEYROTATE | IAX_FORCE_ENCRYPT);
+	ast_copy_flags(cai, peer, IAX_SENDANI | IAX_TRUNK | IAX_NOTRANSFER | IAX_TRANSFERMEDIA | IAX_USEJITTERBUF | IAX_FORCEJITTERBUF | IAX_FORCE_ENCRYPT);
 	cai->maxtime = peer->maxms;
 	cai->capability = peer->capability;
 	cai->encmethods = peer->encmethods;
@@ -4042,9 +4041,8 @@ static int iax2_key_rotate(const void *vpvt)
 	struct iax_ie_data ied = {
 		.pos = 0,	
 	};
-
+	
 	ast_mutex_lock(&iaxsl[pvt->callno]);
-
 	pvt->keyrotateid = 
 		ast_sched_thread_add(sched, 120000 + (ast_random() % 180001), iax2_key_rotate, vpvt);
 
@@ -5006,13 +5004,8 @@ static int iax2_send(struct chan_iax2_pvt *pvt, struct ast_frame *f, unsigned in
 		pvt->keyrotateid != -1 ? "" : "no "
 	);
 #endif
-
 	if (pvt->keyrotateid == -1 && f->frametype == AST_FRAME_VOICE && IAX_CALLENCRYPTED(pvt)) {
-		if (ast_test_flag(pvt, IAX_NOKEYROTATE)) {
-			pvt->keyrotateid = -2;
-		} else {
-			iax2_key_rotate(pvt);
-		}
+		iax2_key_rotate(pvt);
 	}
 
 	if ((ast_test_flag(pvt, IAX_TRUNK) || 
@@ -6222,7 +6215,7 @@ static int check_access(int callno, struct sockaddr_in *sin, struct iax_ies *ies
 		if (user->maxauthreq > 0)
 			ast_set_flag(iaxs[callno], IAX_MAXAUTHREQ);
 		iaxs[callno]->prefs = user->prefs;
-		ast_copy_flags(iaxs[callno], user, IAX_CODEC_USER_FIRST | IAX_IMMEDIATE | IAX_CODEC_NOPREFS | IAX_CODEC_NOCAP | IAX_NOKEYROTATE | IAX_FORCE_ENCRYPT);
+		ast_copy_flags(iaxs[callno], user, IAX_CODEC_USER_FIRST | IAX_IMMEDIATE | IAX_CODEC_NOPREFS | IAX_CODEC_NOCAP | IAX_FORCE_ENCRYPT);
 		iaxs[callno]->encmethods = user->encmethods;
 		/* Store the requested username if not specified */
 		if (ast_strlen_zero(iaxs[callno]->username))
@@ -6313,6 +6306,9 @@ static void merge_encryption(struct chan_iax2_pvt *p, unsigned int enc)
 	/* Select exactly one common encryption if there are any */
 	p->encmethods &= enc;
 	if (p->encmethods) {
+		if (!(p->encmethods & IAX_ENCRYPT_KEYROTATE)){ /* if key rotation is not supported, turn off keyrotation. */
+			p->keyrotateid = -2;
+		}
 		if (p->encmethods & IAX_ENCRYPT_AES128)
 			p->encmethods = IAX_ENCRYPT_AES128;
 		else
@@ -10336,7 +10332,7 @@ static struct ast_channel *iax2_request(const char *type, int format, void *data
 	memset(&cai, 0, sizeof(cai));
 	cai.capability = iax2_capability;
 
-	ast_copy_flags(&cai, &globalflags, IAX_NOTRANSFER | IAX_TRANSFERMEDIA | IAX_USEJITTERBUF | IAX_FORCEJITTERBUF | IAX_NOKEYROTATE);
+	ast_copy_flags(&cai, &globalflags, IAX_NOTRANSFER | IAX_TRANSFERMEDIA | IAX_USEJITTERBUF | IAX_FORCEJITTERBUF);
 	
 	/* Populate our address from the given */
 	if (create_addr(pds.peer, NULL, &sin, &cai)) {
@@ -10355,7 +10351,7 @@ static struct ast_channel *iax2_request(const char *type, int format, void *data
 	}
 
 	/* If this is a trunk, update it now */
-	ast_copy_flags(iaxs[callno], &cai, IAX_TRUNK | IAX_SENDANI | IAX_NOTRANSFER | IAX_TRANSFERMEDIA | IAX_USEJITTERBUF | IAX_FORCEJITTERBUF | IAX_NOKEYROTATE);
+	ast_copy_flags(iaxs[callno], &cai, IAX_TRUNK | IAX_SENDANI | IAX_NOTRANSFER | IAX_TRANSFERMEDIA | IAX_USEJITTERBUF | IAX_FORCEJITTERBUF);
 	if (ast_test_flag(&cai, IAX_TRUNK)) {
 		int new_callno;
 		if ((new_callno = make_trunk(callno, 1)) != -1)
@@ -10666,9 +10662,6 @@ static struct iax2_peer *build_peer(const char *name, struct ast_variable *v, st
 
 	if (peer) {
 		if (firstpass) {
-			if (ast_test_flag(&globalflags, IAX_NOKEYROTATE)) {
-				ast_copy_flags(peer, &globalflags, IAX_NOKEYROTATE);
-			}
 			ast_copy_flags(peer, &globalflags, IAX_USEJITTERBUF | IAX_FORCEJITTERBUF | IAX_FORCE_ENCRYPT);
 			peer->encmethods = iax2_encryption;
 			peer->adsi = adsi;
@@ -10718,7 +10711,7 @@ static struct iax2_peer *build_peer(const char *name, struct ast_variable *v, st
 			} else if (!strcasecmp(v->name, "auth")) {
 				peer->authmethods = get_auth_methods(v->value);
 			} else if (!strcasecmp(v->name, "encryption")) {
-				peer->encmethods = get_encrypt_methods(v->value);
+				peer->encmethods |= get_encrypt_methods(v->value);
 				if (!peer->encmethods) {
 					ast_clear_flag(peer, IAX_FORCE_ENCRYPT);
 				}
@@ -10726,16 +10719,11 @@ static struct iax2_peer *build_peer(const char *name, struct ast_variable *v, st
 				if (ast_false(v->value)) {
 					ast_clear_flag(peer, IAX_FORCE_ENCRYPT);
 				} else {
-					peer->encmethods = get_encrypt_methods(v->value);
+					peer->encmethods |= get_encrypt_methods(v->value);
 					if (peer->encmethods) {
 						ast_set_flag(peer, IAX_FORCE_ENCRYPT);
 					}
 				}
-			} else if (!strcasecmp(v->name, "keyrotate")) {
-				if (ast_false(v->value))
-					ast_set_flag(peer, IAX_NOKEYROTATE);
-				else
-					ast_clear_flag(peer, IAX_NOKEYROTATE);
 			} else if (!strcasecmp(v->name, "transfer")) {
 				if (!strcasecmp(v->value, "mediaonly")) {
 					ast_set_flags_to(peer, IAX_NOTRANSFER|IAX_TRANSFERMEDIA, IAX_TRANSFERMEDIA);	
@@ -10945,7 +10933,7 @@ static struct iax2_user *build_user(const char *name, struct ast_variable *v, st
 			user->adsi = adsi;
 			ast_string_field_set(user, name, name);
 			ast_string_field_set(user, language, language);
-			ast_copy_flags(user, &globalflags, IAX_USEJITTERBUF | IAX_FORCEJITTERBUF | IAX_CODEC_USER_FIRST | IAX_CODEC_NOPREFS | IAX_CODEC_NOCAP | IAX_NOKEYROTATE | IAX_FORCE_ENCRYPT);	
+			ast_copy_flags(user, &globalflags, IAX_USEJITTERBUF | IAX_FORCEJITTERBUF | IAX_CODEC_USER_FIRST | IAX_CODEC_NOPREFS | IAX_CODEC_NOCAP | IAX_FORCE_ENCRYPT);	
 			ast_clear_flag(user, IAX_HASCALLERID);
 			ast_string_field_set(user, cid_name, "");
 			ast_string_field_set(user, cid_num, "");
@@ -10990,7 +10978,7 @@ static struct iax2_user *build_user(const char *name, struct ast_variable *v, st
 			} else if (!strcasecmp(v->name, "auth")) {
 				user->authmethods = get_auth_methods(v->value);
 			} else if (!strcasecmp(v->name, "encryption")) {
-				user->encmethods = get_encrypt_methods(v->value);
+				user->encmethods |= get_encrypt_methods(v->value);
 				if (!user->encmethods) {
 					ast_clear_flag(user, IAX_FORCE_ENCRYPT);
 				}
@@ -10998,16 +10986,11 @@ static struct iax2_user *build_user(const char *name, struct ast_variable *v, st
 				if (ast_false(v->value)) {
 					ast_clear_flag(user, IAX_FORCE_ENCRYPT);
 				} else {
-					user->encmethods = get_encrypt_methods(v->value);
+					user->encmethods |= get_encrypt_methods(v->value);
 					if (user->encmethods) {
 						ast_set_flag(user, IAX_FORCE_ENCRYPT);
 					}
 				}
-			} else if (!strcasecmp(v->name, "keyrotate")) {
-				if (ast_false(v->value))
-					ast_set_flag(user, IAX_NOKEYROTATE);
-				else
-					ast_clear_flag(user, IAX_NOKEYROTATE);
 			} else if (!strcasecmp(v->name, "transfer")) {
 				if (!strcasecmp(v->value, "mediaonly")) {
 					ast_set_flags_to(user, IAX_NOTRANSFER|IAX_TRANSFERMEDIA, IAX_TRANSFERMEDIA);	
@@ -11272,7 +11255,9 @@ static int set_config(char *config_file, int reload)
 	/* Reset Global Flags */
 	memset(&globalflags, 0, sizeof(globalflags));
 	ast_set_flag(&globalflags, IAX_RTUPDATE);
-	ast_set_flag(&globalflags, IAX_NOKEYROTATE); /* turn off key rotate by default since it breaks backwards compatibility at the moment. */
+	
+	/* Turns on support for key rotation during encryption. */
+	iax2_encryption |= IAX_ENCRYPT_KEYROTATE;
 #ifdef SO_NO_CHECK
 	nochecksums = 0;
 #endif
@@ -11381,7 +11366,7 @@ static int set_config(char *config_file, int reload)
 		} else if (!strcasecmp(v->name, "authdebug")) {
 			authdebug = ast_true(v->value);
 		} else if (!strcasecmp(v->name, "encryption")) {
-				iax2_encryption = get_encrypt_methods(v->value);
+				iax2_encryption |= get_encrypt_methods(v->value);
 				if (!iax2_encryption) {
 					ast_clear_flag((&globalflags), IAX_FORCE_ENCRYPT);
 				}
@@ -11389,16 +11374,11 @@ static int set_config(char *config_file, int reload)
 			if (ast_false(v->value)) {
 				ast_clear_flag((&globalflags), IAX_FORCE_ENCRYPT);
 			} else {
-				iax2_encryption = get_encrypt_methods(v->value);
+				iax2_encryption |= get_encrypt_methods(v->value);
 				if (iax2_encryption) {
 					ast_set_flag((&globalflags), IAX_FORCE_ENCRYPT);
 				}
 			}
-		} else if (!strcasecmp(v->name, "keyrotate")) {
-			if (ast_false(v->value))
-				ast_set_flag((&globalflags), IAX_NOKEYROTATE);
-			else
-				ast_clear_flag((&globalflags), IAX_NOKEYROTATE);
 		} else if (!strcasecmp(v->name, "transfer")) {
 			if (!strcasecmp(v->value, "mediaonly")) {
 				ast_set_flags_to((&globalflags), IAX_NOTRANSFER|IAX_TRANSFERMEDIA, IAX_TRANSFERMEDIA);	
diff --git a/channels/iax2.h b/channels/iax2.h
index 98e7480db..2b79e91d0 100644
--- a/channels/iax2.h
+++ b/channels/iax2.h
@@ -187,6 +187,7 @@ enum {
 #define IAX_AUTH_RSA				(1 << 2)
 
 #define IAX_ENCRYPT_AES128			(1 << 0)
+#define IAX_ENCRYPT_KEYROTATE			(1 << 15)       /*!< Keyrotation support */
 
 #define IAX_META_TRUNK				1		/*!< Trunk meta-message */
 #define IAX_META_VIDEO				2		/*!< Video frame */
diff --git a/configs/iax.conf.sample b/configs/iax.conf.sample
index d339ae063..df7796f2c 100644
--- a/configs/iax.conf.sample
+++ b/configs/iax.conf.sample
@@ -180,12 +180,6 @@ forcejitterbuffer=no
 ; encryption.  By turning this option on, encryption is automatically turned on as well.  
 ;
 ; forceencryption = yes
-;
-; This is a compatibility option for older versions of IAX2 that do not support
-; key rotation with encryption.  This option will disable the IAX_COMMAND_RTENC message.
-; default is on
-;
-; keyrotate=off
 
 ; This option defines the maximum size an IAX2 trunk can grow to. The default value is 128000 bytes which
 ; represents 40ms uncompressed linear with 200 channels. Depending on different things though