Add new nua_reload_tls() API for TLS certificate hot-reload

Author: andywolk

libsofia-sip-ua/nta/nta.c

@@ -1120,6 +1120,13 @@ void nta_agent_resolver_clean_cache(nta_agent_t *agent)
 #endif
 }
 
+int nta_agent_reload_tls(nta_agent_t *agent, char const *cert_dir)
+{
+  if (!agent || !agent->sa_tports)
+    return -1;
+  return tport_reload_tls(agent->sa_tports, cert_dir);
+}
+
 /** Return agent context. */
 nta_agent_magic_t *nta_agent_magic(nta_agent_t const *agent)
 {

libsofia-sip-ua/nta/sofia-sip/nta.h

@@ -136,6 +136,7 @@ nta_agent_t *nta_agent_create(su_root_t *root,
 
 SOFIAPUBFUN void nta_agent_destroy(nta_agent_t *agent);
 SOFIAPUBFUN void nta_agent_resolver_clean_cache(nta_agent_t *agent);
+SOFIAPUBFUN int nta_agent_reload_tls(nta_agent_t *agent, char const *cert_dir);
 
 SOFIAPUBFUN char const *nta_agent_version(nta_agent_t const *a);
 SOFIAPUBFUN nta_agent_magic_t *nta_agent_magic(nta_agent_t const *a);

libsofia-sip-ua/nua/nua.c

@@ -47,6 +47,7 @@
 #include <sofia-sip/sip_status.h>
 #include <sofia-sip/sip_header.h>
 #include <sofia-sip/nta.h>
+#include <sofia-sip/tport_tag.h>
 
 #include "sofia-sip/nua.h"
 #include "sofia-sip/nua_tag.h"
@@ -89,7 +90,7 @@ su_log_t nua_log[] = { SU_LOG_INIT("nua", "NUA_DEBUG", SU_DEBUG) };
  * @param root            Pointer to a root object
  * @param callback        Pointer to event callback function
  * @param magic           Pointer to callback context
- * @param tag, value, ... List of tagged parameters
+ * @param tag, value, ... List of tagged parameters
  *
  * @retval !=NULL a pointer to a @nua stack object
  * @retval NULL upon an error
@@ -1131,6 +1132,21 @@ nta_agent_t *nua_get_agent(nua_t *nua)
 		return NULL;
 }
 
+/** Reload TLS certificates for all TLS transports in this nua instance.
+ * Sends a signal to the nua event loop so the reload happens on the
+ * internal thread that handles signals (thread-safe).
+ */
+int nua_reload_tls(nua_t *nua, char const *cert_dir)
+{
+	if (!nua || !cert_dir)
+		return -1;
+
+	enter;
+
+	return nua_signal(nua, NULL, NULL, nua_r_reload_tls, 0, NULL,
+			  TPTAG_CERTIFICATE(cert_dir), TAG_NULL());
+}
+
 /** Set has invite of a nua handle */
 void nua_handle_set_has_invite(nua_handle_t *nh, unsigned val)
 {

libsofia-sip-ua/nua/nua_stack.c

@@ -699,6 +699,14 @@ void nua_stack_signal(nua_t *nua, su_msg_r msg, nua_ee_data_t *ee)
   case nua_r_nta_agent_resolver_clean_dns_cache:
     nta_agent_resolver_clean_cache(nua->nua_nta);
     break;
+  case nua_r_reload_tls:
+  {
+    char const *cert_dir = NULL;
+
+    tl_gets(tags, TPTAG_CERTIFICATE_REF(cert_dir), TAG_END());
+    nta_agent_reload_tls(nua->nua_nta, cert_dir);
+    break;
+  }
   default:
     break;
   }

libsofia-sip-ua/nua/sofia-sip/nua.h

@@ -161,7 +161,8 @@ typedef enum nua_event_e {
   nua_i_register,		/**< Incoming REGISTER. @NEW_1_12_4. */
   nua_r_unref,			/** Calls nua_unref() from dispatcher @NEW_1_13_3 */
   nua_r_handle_unref,	/** Calls nua_handle_unref() from dispatcher @NEW_1_13_3 */
-  nua_r_nta_agent_resolver_clean_dns_cache /** Calls nua_resolver_clean_dns_cache() from dispatcher @NEW_1_13_12 */
+  nua_r_nta_agent_resolver_clean_dns_cache, /** Calls nua_resolver_clean_dns_cache() from dispatcher @NEW_1_13_12 */
+  nua_r_reload_tls		/** Calls nta_agent_reload_tls() from dispatcher */
 } nua_event_t;
 
 typedef struct event_s {
@@ -404,6 +405,7 @@ SOFIAPUBFUN void nua_unref_user(nua_t *nua);
 SOFIAPUBFUN void nua_handle_unref_user(nua_handle_t *nh);
 SOFIAPUBFUN su_home_t *nua_get_home(nua_t *nua);
 SOFIAPUBFUN nta_agent_t *nua_get_agent(nua_t *nua);
+SOFIAPUBFUN int nua_reload_tls(nua_t *nua, char const *cert_dir);
 SOFIAPUBFUN void nua_handle_set_has_invite(nua_handle_t *nh, unsigned val);
 SOFIAPUBFUN unsigned nua_handle_is_destroyed(nua_handle_t *nh);
 SOFIAPUBFUN void nua_handle_dialog_usage_set_refresh_range(nua_handle_t *nh,

libsofia-sip-ua/tport/sofia-sip/tport.h

@@ -273,6 +273,9 @@ TPORT_DLL int tport_has_tls(tport_t const *tport);
 /** Test if transport provided a verified certificate chain (TLS only) */
 TPORT_DLL int tport_is_verified(tport_t const *tport);
 
+/** Reload TLS certificates on all TLS primaries. */
+TPORT_DLL int tport_reload_tls(tport_t *self, char const *cert_dir);
+
 /** Return true if transport is being updated. */
 TPORT_DLL int tport_is_updating(tport_t const *self);
 

libsofia-sip-ua/tport/tport.c

@@ -62,6 +62,14 @@ typedef struct tport_nat_s tport_nat_t;
 #include <errno.h>
 #include <limits.h>
 
+#if HAVE_WIN32
+#include <io.h>
+#define access(_filename, _mode) _access(_filename, _mode)
+#define R_OK (04)
+#else
+#include <unistd.h>
+#endif
+
 #ifndef IPPROTO_SCTP
 #define IPPROTO_SCTP (132)
 #endif
@@ -71,6 +79,7 @@ typedef struct tport_nat_s tport_nat_t;
 #include <sofia-sip/rbtree.h>
 
 #include "tport_internal.h"
+#include "tport_tls.h"
 
 #if HAVE_FUNC
 #elif HAVE_FUNCTION
@@ -280,6 +289,42 @@ int tport_is_verified(tport_t const *self)
   return tport_has_tls(self) && self->tp_is_connected && self->tp_verified;
 }
 
+/** Reload TLS certificates on all TLS primary transports. */
+int tport_reload_tls(tport_t *self, char const *cert_dir)
+{
+  su_home_t autohome[SU_HOME_AUTO_SIZE(1024)];
+  char const *cert, *cafile;
+  tport_t *tp;
+  int reloaded = 0;
+
+  if (!self || !cert_dir)
+    return -1;
+
+  su_home_auto(autohome, sizeof autohome);
+
+  cert = su_sprintf(autohome, "%s/%s", cert_dir, "agent.pem");
+  if (access(cert, R_OK) != 0)
+    cert = su_sprintf(autohome, "%s/%s", cert_dir, "tls.pem");
+
+  cafile = su_sprintf(autohome, "%s/%s", cert_dir, "cafile.pem");
+  if (access(cafile, R_OK) != 0)
+    cafile = su_sprintf(autohome, "%s/%s", cert_dir, "tls.pem");
+
+  for (tp = tport_primaries(self); tp; tp = tport_next(tp)) {
+    if (tport_has_tls(tp)) {
+      tport_tls_primary_t *tlspri = (tport_tls_primary_t *)tp->tp_pri;
+      if (tlspri->tlspri_master) {
+        if (tls_reload_cert(tlspri->tlspri_master, cert, cert, cafile) == 0)
+          reloaded++;
+      }
+    }
+  }
+
+  su_home_deinit(autohome);
+
+  return reloaded;
+}
+
 /** Return true if transport is being updated. */
 int tport_is_updating(tport_t const *self)
 {

libsofia-sip-ua/tport/tport_tls.c

@@ -554,6 +554,40 @@ tls_t *tls_init_master(tls_issues_t *ti)
   return tls;
 }
 
+int tls_reload_cert(tls_t *tls, char const *cert, char const *key, char const *CAfile)
+{
+  if (!tls || tls->type != tls_master || !tls->ctx) {
+    SU_DEBUG_1(("tls_reload_cert: invalid master context\n" VA_NONE));
+    return -1;
+  }
+
+  if (cert && !SSL_CTX_use_certificate_file(tls->ctx, cert, SSL_FILETYPE_PEM)) {
+    SU_DEBUG_1(("tls_reload_cert: failed to reload certificate: %s\n", cert));
+    tls_log_errors(1, "tls_reload_cert(cert)", 0);
+    return -1;
+  }
+
+  if (key && !SSL_CTX_use_PrivateKey_file(tls->ctx, key, SSL_FILETYPE_PEM)) {
+    SU_DEBUG_1(("tls_reload_cert: failed to reload private key: %s\n", key));
+    tls_log_errors(1, "tls_reload_cert(key)", 0);
+    return -1;
+  }
+
+  if (!SSL_CTX_check_private_key(tls->ctx)) {
+    SU_DEBUG_1(("tls_reload_cert: private key does not match certificate\n" VA_NONE));
+    return -1;
+  }
+
+  if (CAfile && !SSL_CTX_load_verify_locations(tls->ctx, CAfile, NULL)) {
+    SU_DEBUG_1(("tls_reload_cert: failed to reload CA file: %s\n", CAfile));
+    tls_log_errors(1, "tls_reload_cert(CA)", 0);
+    return -1;
+  }
+
+  SU_DEBUG_3(("tls_reload_cert: certificates reloaded successfully\n" VA_NONE));
+  return 0;
+}
+
 tls_t *tls_init_secondary(tls_t *master, int sock, int accept)
 {
   tls_t *tls = tls_create(tls_slave);

libsofia-sip-ua/tport/tport_tls.h

@@ -81,6 +81,7 @@ typedef struct tport_tls_primary_s {
 
 tls_t *tls_init_master(tls_issues_t *tls_issues);
 tls_t *tls_init_secondary(tls_t *tls_master, int sock, int accept);
+int tls_reload_cert(tls_t *tls, char const *cert, char const *key, char const *CAfile);
 void tport_tls_free(tls_t *tls);
 int tls_get_socket(tls_t *tls);
 void tls_log_errors(unsigned level, char const *s, unsigned long e);