From 2e52e2479225b6754070c091965381c3a38c110a Mon Sep 17 00:00:00 2001
From: Simon Morlat <simon.morlat@linphone.org>
Date: Fri, 2 Dec 2011 18:12:36 +0100
Subject: [PATCH] fix TLS support under linphonec and gtk (problem not occuring
 with mobile versions) Implement registration refresh upon SIP network
 protocol change.

---
 coreapi/linphonecore.c | 39 +++++++++++++++++++++++++++++++--------
 coreapi/linphonecore.h |  1 +
 coreapi/private.h      |  2 ++
 coreapi/sal.h          |  3 ++-
 coreapi/sal_eXosip2.c  |  9 ++++++++-
 coreapi/sal_eXosip2.h  |  5 +++--
 6 files changed, 47 insertions(+), 12 deletions(-)

diff --git a/coreapi/linphonecore.c b/coreapi/linphonecore.c
index 6bd1b6e9b..55e01193e 100644
--- a/coreapi/linphonecore.c
+++ b/coreapi/linphonecore.c
@@ -501,6 +501,13 @@ static void sip_config_read(LinphoneCore *lc)
 	} else {
 		tr.tls_port=lp_config_get_int(lc->config,"sip","sip_tls_port",0);
 	}
+
+#ifdef __linux
+	sal_set_root_ca(lc->sal, lp_config_get_string(lc->config,"sip","root_ca", "/etc/ssl/certs"));
+#else
+	sal_set_root_ca(lc->sal, lp_config_get_string(lc->config,"sip","root_ca", ROOT_CA_FILE));
+#endif
+	linphone_core_verify_server_certificates(lc,lp_config_get_int(lc->config,"sip","verify_server_certs",TRUE));
 	/*start listening on ports*/
  	linphone_core_set_sip_transports(lc,&tr);
 
@@ -523,12 +530,6 @@ static void sip_config_read(LinphoneCore *lc)
 		ms_free(contact);
 	}
 
-#ifdef __linux
-	sal_root_ca(lc->sal, lp_config_get_string(lc->config,"sip","root_ca", "/etc/ssl/certs"));
-#else
-	sal_root_ca(lc->sal, lp_config_get_string(lc->config,"sip","root_ca", ROOT_CA_FILE));
-#endif
-	
 	tmp=lp_config_get_int(lc->config,"sip","guess_hostname",1);
 	linphone_core_set_guess_hostname(lc,tmp);
 
@@ -1480,12 +1481,15 @@ static int apply_transports(LinphoneCore *lc){
 	const char *anyaddr;
 	LCSipTransports *tr=&lc->sip_conf.transports;
 
+	/*first of all invalidate all current registrations so that we can register again with new transports*/
+	__linphone_core_invalidate_registers(lc);
+	
 	if (lc->sip_conf.ipv6_enabled)
 		anyaddr="::0";
 	else
 		anyaddr="0.0.0.0";
 
-	sal_unlisten_ports (sal);
+	sal_unlisten_ports(sal);
 	if (tr->udp_port>0){
 		if (sal_listen_port (sal,anyaddr,tr->udp_port,SalTransportUDP,FALSE)!=0){
 			transport_error(lc,"udp",tr->udp_port);
@@ -2995,7 +2999,14 @@ const char *linphone_core_get_ring(const LinphoneCore *lc){
  * @ingroup media_parameters
 **/
 void linphone_core_set_root_ca(LinphoneCore *lc,const char *path){
-	sal_root_ca(lc->sal, path);
+	sal_set_root_ca(lc->sal, path);
+}
+
+/**
+ * Specify whether the tls server certificate must be verified when connecting to a SIP/TLS server.
+**/
+void linphone_core_verify_server_certificates(LinphoneCore *lc, bool_t yesno){
+	sal_verify_server_certificates(lc->sal,yesno);
 }
 
 static void notify_end_of_ring(void *ud, MSFilter *f, unsigned int event, void *arg){
@@ -4126,6 +4137,7 @@ static void set_network_reachable(LinphoneCore* lc,bool_t isReachable, time_t cu
 	}
 
 }
+
 void linphone_core_refresh_registers(LinphoneCore* lc) {
 	const MSList *elem=linphone_core_get_proxy_config_list(lc);
 	for(;elem!=NULL;elem=elem->next){
@@ -4136,6 +4148,17 @@ void linphone_core_refresh_registers(LinphoneCore* lc) {
 	}
 }
 
+void __linphone_core_invalidate_registers(LinphoneCore* lc){
+	const MSList *elem=linphone_core_get_proxy_config_list(lc);
+	for(;elem!=NULL;elem=elem->next){
+		LinphoneProxyConfig *cfg=(LinphoneProxyConfig*)elem->data;
+		if (linphone_proxy_config_register_enabled(cfg) ) {
+			linphone_proxy_config_edit(cfg);
+			linphone_proxy_config_done(cfg);
+		}
+	}
+}
+
 void linphone_core_set_network_reachable(LinphoneCore* lc,bool_t isReachable) {
 	//first disable automatic mode
 	if (lc->auto_net_state_mon) {
diff --git a/coreapi/linphonecore.h b/coreapi/linphonecore.h
index 239e259c9..68d658694 100644
--- a/coreapi/linphonecore.h
+++ b/coreapi/linphonecore.h
@@ -870,6 +870,7 @@ char linphone_core_get_sound_source(LinphoneCore *lc);
 void linphone_core_set_sound_source(LinphoneCore *lc, char source);
 void linphone_core_set_ring(LinphoneCore *lc, const char *path);
 const char *linphone_core_get_ring(const LinphoneCore *lc);
+void linphone_core_verify_server_certificates(LinphoneCore *lc, bool_t yesno);
 void linphone_core_set_root_ca(LinphoneCore *lc, const char *path);
 void linphone_core_set_ringback(LinphoneCore *lc, const char *path);
 const char * linphone_core_get_ringback(const LinphoneCore *lc);
diff --git a/coreapi/private.h b/coreapi/private.h
index 93b1f459f..fda2b449b 100644
--- a/coreapi/private.h
+++ b/coreapi/private.h
@@ -529,6 +529,8 @@ void linphone_call_remove_from_conf(LinphoneCall *call);
 void linphone_core_conference_check_uninit(LinphoneConference *ctx);
 bool_t linphone_core_sound_resources_available(LinphoneCore *lc);
 
+void __linphone_core_invalidate_registers(LinphoneCore* lc);
+
 #define HOLD_OFF	(0)
 #define HOLD_ON		(1)
 
diff --git a/coreapi/sal.h b/coreapi/sal.h
index 86a0fb86b..0254dfbb7 100644
--- a/coreapi/sal.h
+++ b/coreapi/sal.h
@@ -285,7 +285,8 @@ void sal_reuse_authorization(Sal *ctx, bool_t enabled);
 void sal_use_one_matching_codec_policy(Sal *ctx, bool_t one_matching_codec);
 void sal_use_rport(Sal *ctx, bool_t use_rports);
 void sal_use_101(Sal *ctx, bool_t use_101);
-void sal_root_ca(Sal* ctx, const char* rootCa);
+void sal_set_root_ca(Sal* ctx, const char* rootCa);
+void sal_verify_server_certificates(Sal *ctx, bool_t verify);
 
 int sal_iterate(Sal *sal);
 MSList * sal_get_pending_auths(Sal *sal);
diff --git a/coreapi/sal_eXosip2.c b/coreapi/sal_eXosip2.c
index 4a04d0b0e..dc8ba9732 100644
--- a/coreapi/sal_eXosip2.c
+++ b/coreapi/sal_eXosip2.c
@@ -282,6 +282,7 @@ Sal * sal_init(){
 	sal->use_101=TRUE;
 	sal->reuse_authorization=FALSE;
 	sal->rootCa = 0;
+	sal->verify_server_certs=TRUE;
 	return sal;
 }
 
@@ -374,6 +375,7 @@ int sal_listen_port(Sal *ctx, const char *addr, int port, SalTransport tr, int i
 			snprintf(tlsCtx.root_ca_cert, sizeof(tlsCtx.client.cert), "%s", ctx->rootCa);
 			eXosip_set_tls_ctx(&tlsCtx);
 		}
+		eXosip_tls_verify_certificate(ctx->verify_server_certs);
 		break;
 	default:
 		ms_warning("unexpected proto, using datagram");
@@ -440,12 +442,17 @@ void sal_use_101(Sal *ctx, bool_t use_101){
 	ctx->use_101=use_101;
 }
 
-void sal_root_ca(Sal* ctx, const char* rootCa) {
+void sal_set_root_ca(Sal* ctx, const char* rootCa) {
 	if (ctx->rootCa)
 		ms_free(ctx->rootCa);
 	ctx->rootCa = ms_strdup(rootCa);
 }
 
+void sal_verify_server_certificates(Sal *ctx, bool_t verify){
+	ctx->verify_server_certs=verify;
+	eXosip_tls_verify_certificate(verify);
+}
+
 static int extract_received_rport(osip_message_t *msg, const char **received, int *rportval,SalTransport* transport){
 	osip_via_t *via=NULL;
 	osip_generic_param_t *param=NULL;
diff --git a/coreapi/sal_eXosip2.h b/coreapi/sal_eXosip2.h
index bdc257740..f2577ee00 100644
--- a/coreapi/sal_eXosip2.h
+++ b/coreapi/sal_eXosip2.h
@@ -39,13 +39,14 @@ struct Sal{
 	int running;
 	int session_expires;
 	int keepalive_period;
-	void *up;
+	void *up; /*user pointer*/
+	char* rootCa; /* File _or_ folder containing root CA */
 	bool_t one_matching_codec;
 	bool_t double_reg;
 	bool_t use_rports;
 	bool_t use_101;
 	bool_t reuse_authorization;
-	char* rootCa; /* File _or_ folder containing root CA */
+	bool_t verify_server_certs;
 };
 
 struct SalOp{