Add pjsip_tls_transport_restart2() and pjsua_transport_lis_restart() for runtime transport settings update (#4631)

Author: Copilot

pjsip/include/pjsip/sip_transport_tls.h

@@ -651,6 +651,39 @@ PJ_DECL(pj_status_t) pjsip_tls_transport_restart(pjsip_tpfactory *factory,
                                                 const pj_sockaddr *local,
                                                 const pjsip_host_port *a_name);
 
+/**
+ * Restart the TLS listener with optional updated TLS settings. This will
+ * close the listener socket and recreate the socket. If new TLS settings
+ * are provided, they will be applied before creating the new socket,
+ * allowing runtime updates of certificates, keys, and other TLS parameters.
+ *
+ * @param factory       The SIP TLS transport factory.
+ *
+ * @param opt           Optional new TLS settings to be applied during restart.
+ *                      If NULL, the existing settings will be used (equivalent
+ *                      to calling pjsip_tls_transport_restart()).
+ *
+ * @param local         The address where the listener should be bound to.
+ *                      Both IP interface address and port fields are optional.
+ *                      If IP interface address is not specified, socket
+ *                      will be bound to PJ_INADDR_ANY. If port is not
+ *                      specified, socket will be bound to any port
+ *                      selected by the operating system.
+ *
+ * @param a_name        The published address for the listener.
+ *                      It can be set using IP address or hostname.
+ *                      If this argument is NULL, then the bound address will
+ *                      be used as the published address.
+ *
+ * @return              PJ_SUCCESS when the listener has been successfully
+ *                      restarted.
+ *
+ */
+PJ_DECL(pj_status_t) pjsip_tls_transport_restart2(pjsip_tpfactory *factory,
+                                                 const pjsip_tls_setting *opt,
+                                                 const pj_sockaddr *local,
+                                                 const pjsip_host_port *a_name);
+
 PJ_END_DECL
 
 /**

pjsip/include/pjsua-lib/pjsua.h

@@ -3594,6 +3594,24 @@ PJ_DECL(pj_status_t) pjsua_transport_lis_start( pjsua_transport_id id,
                                             const pjsua_transport_config *cfg);
 
 
+/**
+ * Restart the listener of the transport. This will close the listener socket
+ * and recreate it. For TLS transports, TLS settings can be specified in the
+ * transport config to update certificates, keys, and other TLS parameters 
+ * during runtime. For UDP transports, this will restart the transport with
+ * new settings.
+ *
+ * @param id            Transport ID.
+ * @param cfg           The new transport config used by the listener. 
+ *                      For TCP/TLS: port, public_addr, bound_addr, and tls_setting
+ *                      are used. For UDP: port, public_addr, and bound_addr are used.
+ *
+ * @return              PJ_SUCCESS on success, or the appropriate error code.
+ */
+PJ_DECL(pj_status_t) pjsua_transport_lis_restart( pjsua_transport_id id,
+                                                  const pjsua_transport_config *cfg);
+
+
 /**
  * @}
  */

pjsip/src/pjsip/sip_transport_tls.c

@@ -765,6 +765,15 @@ static pj_status_t lis_destroy(pjsip_tpfactory *factory)
 PJ_DEF(pj_status_t) pjsip_tls_transport_restart(pjsip_tpfactory *factory,
                                                 const pj_sockaddr *local,
                                                 const pjsip_host_port *a_name)
+{
+    return pjsip_tls_transport_restart2(factory, NULL, local, a_name);
+}
+
+
+PJ_DEF(pj_status_t) pjsip_tls_transport_restart2(pjsip_tpfactory *factory,
+                                                 const pjsip_tls_setting *opt,
+                                                 const pj_sockaddr *local,
+                                                 const pjsip_host_port *a_name)
 {
     pj_status_t status = PJ_SUCCESS;
     struct tls_listener *listener = (struct tls_listener *)factory;
@@ -775,6 +784,15 @@ PJ_DEF(pj_status_t) pjsip_tls_transport_restart(pjsip_tpfactory *factory,
                       "TLS restart requested while no listener created, "
                       "update the published address only"));
 
+        /* Update TLS settings if provided */
+        if (opt) {
+            /* Wipe old certificate keys for security */
+            pjsip_tls_setting_wipe_keys(&listener->tls_setting);
+            
+            /* Copy new settings */
+            pjsip_tls_setting_copy(listener->factory.pool, &listener->tls_setting, opt);
+        }
+
         status = update_factory_addr(listener, a_name);
         if (status != PJ_SUCCESS)
             return status;
@@ -787,6 +805,69 @@ PJ_DEF(pj_status_t) pjsip_tls_transport_restart(pjsip_tpfactory *factory,
 
     lis_close(listener);
 
+    /* Update TLS settings if provided */
+    if (opt) {
+        /* Wipe old certificate keys for security */
+        pjsip_tls_setting_wipe_keys(&listener->tls_setting);
+        
+        /* Copy new settings */
+        pjsip_tls_setting_copy(listener->factory.pool, &listener->tls_setting, opt);
+        
+        /* Free old certificate if present */
+        if (listener->cert) {
+            pj_ssl_cert_wipe_keys(listener->cert);
+            listener->cert = NULL;
+        }
+        
+        /* Load new certificate based on updated settings */
+        if (listener->tls_setting.cert_file.slen ||
+            listener->tls_setting.ca_list_file.slen ||
+            listener->tls_setting.ca_list_path.slen || 
+            listener->tls_setting.privkey_file.slen) 
+        {
+            status = pj_ssl_cert_load_from_files2(listener->factory.pool,
+                            &listener->tls_setting.ca_list_file,
+                            &listener->tls_setting.ca_list_path,
+                            &listener->tls_setting.cert_file,
+                            &listener->tls_setting.privkey_file,
+                            &listener->tls_setting.password,
+                            &listener->cert);
+            if (status != PJ_SUCCESS) {
+                tls_perror(listener->factory.obj_name,
+                           "Failed to load certificate from files", status, NULL);
+                return status;
+            }
+        } else if (listener->tls_setting.ca_buf.slen ||
+                   listener->tls_setting.cert_buf.slen ||
+                   listener->tls_setting.privkey_buf.slen)
+        {
+            status = pj_ssl_cert_load_from_buffer(listener->factory.pool,
+                            &listener->tls_setting.ca_buf,
+                            &listener->tls_setting.cert_buf,
+                            &listener->tls_setting.privkey_buf,
+                            &listener->tls_setting.password,
+                            &listener->cert);
+            if (status != PJ_SUCCESS) {
+                tls_perror(listener->factory.obj_name,
+                           "Failed to load certificate from buffer", status, NULL);
+                return status;
+            }
+        } else if (listener->tls_setting.cert_lookup.type !=
+                                                    PJ_SSL_CERT_LOOKUP_NONE &&
+                   listener->tls_setting.cert_lookup.keyword.slen)
+        {
+            status = pj_ssl_cert_load_from_store(
+                                    listener->factory.pool,
+                                    &listener->tls_setting.cert_lookup,
+                                    &listener->cert);
+            if (status != PJ_SUCCESS) {
+                tls_perror(listener->factory.obj_name,
+                           "Failed to load certificate from store", status, NULL);
+                return status;
+            }
+        }
+    }
+
     status = pjsip_tls_transport_lis_start(factory, local, a_name);
     if (status != PJ_SUCCESS) { 
         tls_perror(listener->factory.obj_name, 

pjsip/src/pjsua-lib/pjsua_core.c

@@ -3139,6 +3139,88 @@ PJ_DEF(pj_status_t) pjsua_transport_lis_start(pjsua_transport_id id,
 }
 
 
+PJ_DEF(pj_status_t) pjsua_transport_lis_restart(pjsua_transport_id id,
+                                               const pjsua_transport_config *cfg)
+{
+    pj_status_t status = PJ_SUCCESS;
+    pjsip_transport_type_e tp_type;
+    /* Common variables used by all transport types */
+    pj_sockaddr bind_addr;
+    pjsip_host_port addr_name;
+    int af;
+
+    /* Make sure id is in range. */
+    PJ_ASSERT_RETURN(id>=0 && id<(int)PJ_ARRAY_SIZE(pjsua_var.tpdata), 
+                     PJ_EINVAL);
+
+    /* Make sure that transport exists */
+    PJ_ASSERT_RETURN(pjsua_var.tpdata[id].data.ptr != NULL, PJ_EINVAL);
+
+    tp_type = pjsua_var.tpdata[id].type & ~PJSIP_TRANSPORT_IPV6;
+ 
+    if ((tp_type == PJSIP_TRANSPORT_TLS) || (tp_type == PJSIP_TRANSPORT_TCP)) {
+        pjsip_tpfactory *factory = pjsua_var.tpdata[id].data.factory;
+        af = pjsip_transport_type_get_af(factory->type);
+    } else if (tp_type == PJSIP_TRANSPORT_UDP) {
+        pjsip_transport *transport = pjsua_var.tpdata[id].data.tp;
+        af = pjsip_transport_type_get_af(transport->key.type);
+    } else {
+        return PJ_EINVAL;
+    }
+
+    /* Initialize bind address */
+    pj_sockaddr_init(af, &bind_addr, NULL, 0);
+    
+    if (cfg->port)
+        pj_sockaddr_set_port(&bind_addr, (pj_uint16_t)cfg->port);
+
+    if (cfg->bound_addr.slen) {
+        status = pj_sockaddr_set_str_addr(af, 
+                                          &bind_addr,
+                                          &cfg->bound_addr);
+        if (status != PJ_SUCCESS) {
+            pjsua_perror(THIS_FILE, 
+                         "Unable to resolve transport bound address", 
+                         status);
+            return status;
+        }
+    }
+
+    /* Set published name */
+    pj_bzero(&addr_name, sizeof(pjsip_host_port));
+    if (cfg->public_addr.slen)
+        addr_name.host = cfg->public_addr;
+
+    /* Restart transport based on type */
+    if ((tp_type == PJSIP_TRANSPORT_TLS) || (tp_type == PJSIP_TRANSPORT_TCP)) {
+        pjsip_tpfactory *factory = pjsua_var.tpdata[id].data.factory;
+        
+        if (tp_type == PJSIP_TRANSPORT_TCP) {
+            status = pjsip_tcp_transport_restart(factory, &bind_addr,
+                                                 &addr_name);
+        }
+#if defined(PJSIP_HAS_TLS_TRANSPORT) && PJSIP_HAS_TLS_TRANSPORT!=0
+        else {
+            /* Use the new restart2 function for TLS to support settings update */
+            status = pjsip_tls_transport_restart2(factory, &cfg->tls_setting, &bind_addr,
+                                                  &addr_name); 
+        }
+#endif  
+    } else if (tp_type == PJSIP_TRANSPORT_UDP) {
+        pjsip_transport *transport = pjsua_var.tpdata[id].data.tp;
+            
+        /* Restart UDP transport using restart2 function */
+        status = pjsip_udp_transport_restart2(transport, 
+                                             PJSIP_UDP_TRANSPORT_DESTROY_SOCKET,
+                                             PJ_INVALID_SOCKET,
+                                             &bind_addr,
+                                             cfg->public_addr.slen ? &addr_name : NULL);
+    }
+    
+    return status;
+}
+
+
 /*
  * Add additional headers etc in msg_data specified by application
  * when sending requests.