Add new nua_reload_tls() API for TLS certificate hot-reload

andywolk · andywolk · commit 91041c1d5134 · 2026-02-21T14:16:38.000+03:00
diff --git a/.gitignore b/.gitignore
@@ -70,3 +70,19 @@ test-driver
 utils/sip-date
 utils/sip-dig
 utils/sip-options
+libsofia-sip-ua/http/http_tag_dll.c
+libsofia-sip-ua/iptsec/auth_tag_dll.c
+libsofia-sip-ua/msg/msg_tag_dll.c
+libsofia-sip-ua/msg/msg_tag_ref.c
+libsofia-sip-ua/nea/nea_tag_dll.c
+libsofia-sip-ua/nta/nta_tag_dll.c
+libsofia-sip-ua/nth/nth_tag_dll.c
+libsofia-sip-ua/nua/nua_tag_dll.c
+libsofia-sip-ua/sdp/sdp_tag_dll.c
+libsofia-sip-ua/sip/sip_tag_dll.c
+libsofia-sip-ua/soa/soa_tag_dll.c
+libsofia-sip-ua/stun/stun_tag_dll.c
+libsofia-sip-ua/su/su_tag_dll.c
+libsofia-sip-ua/tport/tport_tag_dll.c
+libsofia-sip-ua/url/url_tag_dll.c
+win32/gawk.exe
diff --git a/libsofia-sip-ua/nta/nta.c b/libsofia-sip-ua/nta/nta.c
@@ -1120,6 +1120,13 @@ void nta_agent_resolver_clean_cache(nta_agent_t *agent)
 #endif
 }
 
+int nta_agent_reload_tls(nta_agent_t *agent, char const *cert_dir)
+{
+  if (!agent || !agent->sa_tports)
+    return -1;
+  return tport_reload_tls(agent->sa_tports, cert_dir);
+}
+
 /** Return agent context. */
 nta_agent_magic_t *nta_agent_magic(nta_agent_t const *agent)
 {
diff --git a/libsofia-sip-ua/nta/sofia-sip/nta.h b/libsofia-sip-ua/nta/sofia-sip/nta.h
@@ -136,6 +136,7 @@ nta_agent_t *nta_agent_create(su_root_t *root,
 
 SOFIAPUBFUN void nta_agent_destroy(nta_agent_t *agent);
 SOFIAPUBFUN void nta_agent_resolver_clean_cache(nta_agent_t *agent);
+SOFIAPUBFUN int nta_agent_reload_tls(nta_agent_t *agent, char const *cert_dir);
 
 SOFIAPUBFUN char const *nta_agent_version(nta_agent_t const *a);
 SOFIAPUBFUN nta_agent_magic_t *nta_agent_magic(nta_agent_t const *a);
diff --git a/libsofia-sip-ua/nua/nua.c b/libsofia-sip-ua/nua/nua.c
@@ -47,6 +47,7 @@
 #include <sofia-sip/sip_status.h>
 #include <sofia-sip/sip_header.h>
 #include <sofia-sip/nta.h>
+#include <sofia-sip/tport_tag.h>
 
 #include "sofia-sip/nua.h"
 #include "sofia-sip/nua_tag.h"
@@ -89,7 +90,7 @@ su_log_t nua_log[] = { SU_LOG_INIT("nua", "NUA_DEBUG", SU_DEBUG) };
  * @param root            Pointer to a root object
  * @param callback        Pointer to event callback function
  * @param magic           Pointer to callback context
- * @param tag,�value, ... List of tagged parameters
+ * @param tag, value, ... List of tagged parameters
  *
  * @retval !=NULL a pointer to a @nua stack object
  * @retval NULL upon an error
@@ -1131,6 +1132,21 @@ nta_agent_t *nua_get_agent(nua_t *nua)
 		return NULL;
 }
 
+/** Reload TLS certificates for all TLS transports in this nua instance.
+ * Sends a signal to the nua event loop so the reload happens on the
+ * internal thread that handles signals (thread-safe).
+ */
+int nua_reload_tls(nua_t *nua, char const *cert_dir)
+{
+	if (!nua || !cert_dir)
+		return -1;
+
+	enter;
+
+	return nua_signal(nua, NULL, NULL, nua_r_reload_tls, 0, NULL,
+			  TPTAG_CERTIFICATE(cert_dir), TAG_NULL());
+}
+
 /** Set has invite of a nua handle */
 void nua_handle_set_has_invite(nua_handle_t *nh, unsigned val)
 {
diff --git a/libsofia-sip-ua/nua/nua_stack.c b/libsofia-sip-ua/nua/nua_stack.c
@@ -699,6 +699,14 @@ void nua_stack_signal(nua_t *nua, su_msg_r msg, nua_ee_data_t *ee)
   case nua_r_nta_agent_resolver_clean_dns_cache:
     nta_agent_resolver_clean_cache(nua->nua_nta);
     break;
+  case nua_r_reload_tls:
+  {
+    char const *cert_dir = NULL;
+
+    tl_gets(tags, TPTAG_CERTIFICATE_REF(cert_dir), TAG_END());
+    nta_agent_reload_tls(nua->nua_nta, cert_dir);
+    break;
+  }
   default:
     break;
   }
diff --git a/libsofia-sip-ua/nua/sofia-sip/nua.h b/libsofia-sip-ua/nua/sofia-sip/nua.h
@@ -161,7 +161,8 @@ typedef enum nua_event_e {
   nua_i_register,		/**< Incoming REGISTER. @NEW_1_12_4. */
   nua_r_unref,			/** Calls nua_unref() from dispatcher @NEW_1_13_3 */
   nua_r_handle_unref,	/** Calls nua_handle_unref() from dispatcher @NEW_1_13_3 */
-  nua_r_nta_agent_resolver_clean_dns_cache /** Calls nua_resolver_clean_dns_cache() from dispatcher @NEW_1_13_12 */
+  nua_r_nta_agent_resolver_clean_dns_cache, /** Calls nua_resolver_clean_dns_cache() from dispatcher @NEW_1_13_12 */
+  nua_r_reload_tls		/** Calls nta_agent_reload_tls() from dispatcher */
 } nua_event_t;
 
 typedef struct event_s {
@@ -404,6 +405,7 @@ SOFIAPUBFUN void nua_unref_user(nua_t *nua);
 SOFIAPUBFUN void nua_handle_unref_user(nua_handle_t *nh);
 SOFIAPUBFUN su_home_t *nua_get_home(nua_t *nua);
 SOFIAPUBFUN nta_agent_t *nua_get_agent(nua_t *nua);
+SOFIAPUBFUN int nua_reload_tls(nua_t *nua, char const *cert_dir);
 SOFIAPUBFUN void nua_handle_set_has_invite(nua_handle_t *nh, unsigned val);
 SOFIAPUBFUN unsigned nua_handle_is_destroyed(nua_handle_t *nh);
 SOFIAPUBFUN void nua_handle_dialog_usage_set_refresh_range(nua_handle_t *nh,
diff --git a/libsofia-sip-ua/tport/sofia-sip/tport.h b/libsofia-sip-ua/tport/sofia-sip/tport.h
@@ -273,6 +273,9 @@ TPORT_DLL int tport_has_tls(tport_t const *tport);
 /** Test if transport provided a verified certificate chain (TLS only) */
 TPORT_DLL int tport_is_verified(tport_t const *tport);
 
+/** Reload TLS certificates on all TLS primaries. */
+TPORT_DLL int tport_reload_tls(tport_t *self, char const *cert_dir);
+
 /** Return true if transport is being updated. */
 TPORT_DLL int tport_is_updating(tport_t const *self);
 
diff --git a/libsofia-sip-ua/tport/tport.c b/libsofia-sip-ua/tport/tport.c
@@ -62,6 +62,14 @@ typedef struct tport_nat_s tport_nat_t;
 #include <errno.h>
 #include <limits.h>
 
+#if HAVE_WIN32
+#include <io.h>
+#define access(_filename, _mode) _access(_filename, _mode)
+#define R_OK (04)
+#else
+#include <unistd.h>
+#endif
+
 #ifndef IPPROTO_SCTP
 #define IPPROTO_SCTP (132)
 #endif
@@ -71,6 +79,7 @@ typedef struct tport_nat_s tport_nat_t;
 #include <sofia-sip/rbtree.h>
 
 #include "tport_internal.h"
+#include "tport_tls.h"
 
 #if HAVE_FUNC
 #elif HAVE_FUNCTION
@@ -280,6 +289,45 @@ int tport_is_verified(tport_t const *self)
   return tport_has_tls(self) && self->tp_is_connected && self->tp_verified;
 }
 
+/** Reload TLS certificates on all TLS primary transports. */
+int tport_reload_tls(tport_t *self, char const *cert_dir)
+{
+  su_home_t autohome[SU_HOME_AUTO_SIZE(1024)];
+  tls_issues_t ti = {0};
+  tport_t *tp;
+  int reloaded = 0;
+
+  if (!self || !cert_dir)
+    return -1;
+
+  su_home_auto(autohome, sizeof autohome);
+
+  ti.key = su_sprintf(autohome, "%s/%s", cert_dir, "agent.pem");
+  if (access(ti.key, R_OK) != 0)
+    ti.key = su_sprintf(autohome, "%s/%s", cert_dir, "tls.pem");
+  ti.cert = ti.key;
+  ti.CAfile = su_sprintf(autohome, "%s/%s", cert_dir, "cafile.pem");
+  if (access(ti.CAfile, R_OK) != 0)
+    ti.CAfile = su_sprintf(autohome, "%s/%s", cert_dir, "tls.pem");
+  ti.CApath = su_strdup(autohome, cert_dir);
+  ti.randFile = su_sprintf(autohome, "%s/%s", cert_dir, "tls_seed.dat");
+  ti.configured = 1;
+
+  for (tp = tport_primaries(self); tp; tp = tport_next(tp)) {
+    if (tport_has_tls(tp)) {
+      tport_tls_primary_t *tlspri = (tport_tls_primary_t *)tp->tp_pri;
+      if (tlspri->tlspri_master) {
+        if (tls_reload_cert(tlspri->tlspri_master, &ti) == 0)
+          reloaded++;
+      }
+    }
+  }
+
+  su_home_deinit(autohome);
+
+  return reloaded;
+}
+
 /** Return true if transport is being updated. */
 int tport_is_updating(tport_t const *self)
 {
diff --git a/libsofia-sip-ua/tport/tport_tls.c b/libsofia-sip-ua/tport/tport_tls.c
diff --git a/libsofia-sip-ua/tport/tport_tls.h b/libsofia-sip-ua/tport/tport_tls.h

Original file line number	Diff line number	Diff line change
`@@ -1120,6 +1120,13 @@ void nta_agent_resolver_clean_cache(nta_agent_t *agent)`
`1120`	`1120`	`#endif`
`1121`	`1121`	`}`
`1122`	`1122`
	`1123`	`+int nta_agent_reload_tls(nta_agent_t agent, char const cert_dir)`
	`1124`	`+{`
	`1125`	`+ if (!agent \|\| !agent->sa_tports)`
	`1126`	`+ return -1;`
	`1127`	`+ return tport_reload_tls(agent->sa_tports, cert_dir);`
	`1128`	`+}`
	`1129`	`+`
`1123`	`1130`	`/** Return agent context. */`
`1124`	`1131`	`nta_agent_magic_t nta_agent_magic(nta_agent_t const agent)`
`1125`	`1132`	`{`