Allow setting TLS cipher suites through Sofia-SIP API

Previously there was no way to override the hard-coded cipher suite
specification of "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH".

This commit does leave in place the hardcoded cipher spec for WebRTC
of "HIGH:!DSS:!aNULL@STRENGTH".

libs/sofia-sip/libsofia-sip-ua/tport/sofia-sip/tport_tag.h

@@ -180,6 +180,12 @@ TPORT_DLL extern tag_typedef_t tptag_certificate;
 TPORT_DLL extern tag_typedef_t tptag_certificate_ref;
 #define TPTAG_CERTIFICATE_REF(x) tptag_certificate_ref, tag_str_vr(&(x))
 
+TPORT_DLL extern tag_typedef_t tptag_tls_ciphers;
+#define TPTAG_TLS_CIPHERS(x) tptag_tls_ciphers, tag_str_v((x))
+
+TPORT_DLL extern tag_typedef_t tptag_tls_ciphers_ref;
+#define TPTAG_TLS_CIPHERS_REF(x) tptag_tls_ciphers_ref, tag_str_vr(&(x))
+
 enum tport_tls_version {
   TPTLS_VERSION_SSLv2 = (1 << 0),
   TPTLS_VERSION_SSLv3 = (1 << 1),

libs/sofia-sip/libsofia-sip-ua/tport/tport_tag.c

@@ -270,6 +270,14 @@ tag_typedef_t tptag_certificate = STRTAG_TYPEDEF(certificate);
  */
 tag_typedef_t tptag_compartment = PTRTAG_TYPEDEF(compartment);
 
+/**@def TPTAG_TLS_CIPHERS(x)
+ *
+ * Sets the supported TLS cipher suites.
+ *
+ * Use with tport_tbind(), nua_create(), nta_agent_create(),
+ * nta_agent_add_tport(), nth_engine_create(), or initial nth_site_create().
+ */
+tag_typedef_t tptag_tls_ciphers = STRTAG_TYPEDEF(tls_ciphers);
 
 /**@def TPTAG_TLS_VERSION(x)
  *

libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c

@@ -202,7 +202,7 @@ void tls_set_default(tls_issues_t *i)
   i->key = i->key ? i->key : i->cert;
   i->randFile = i->randFile ? i->randFile : "tls_seed.dat";
   i->CAfile = i->CAfile ? i->CAfile : "cafile.pem";
-  i->cipher = i->cipher ? i->cipher : "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH";
+  i->ciphers = i->ciphers ? i->ciphers : "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH";
   /* Default SIP cipher */
   /* "RSA-WITH-AES-128-CBC-SHA"; */
   /* RFC-2543-compatibility ciphersuite */
@@ -385,7 +385,7 @@ int tls_init_context(tls_t *tls, tls_issues_t const *ti)
   SSL_CTX_set_verify_depth(tls->ctx, ti->verify_depth);
   SSL_CTX_set_verify(tls->ctx, verify, tls_verify_cb);
 
-  if (!SSL_CTX_set_cipher_list(tls->ctx, ti->cipher)) {
+  if (!SSL_CTX_set_cipher_list(tls->ctx, ti->ciphers)) {
     SU_DEBUG_1(("%s: error setting cipher list\n", "tls_init_context"));
     tls_log_errors(3, "tls_init_context", 0);
     errno = EIO;

libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.h

@@ -60,7 +60,7 @@ typedef struct tls_issues_s {
   char *randFile;       /* Seed file for the PRNG (default: tls_seed.dat) */
   char *CAfile;		/* PEM file of CA's                           */
   char *CApath;		/* PEM file path of CA's		      */
-  char *cipher;         /* Should be one of the above defined ciphers *
+  char *ciphers;         /* Should be one of the above defined ciphers *
 			 * or NULL (default: "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
                          */
   int   version;	/* For tls1, version is 1. When ssl3/ssl2 is

libs/sofia-sip/libsofia-sip-ua/tport/tport_type_tls.c

@@ -180,6 +180,7 @@ static int tport_tls_init_master(tport_primary_t *pri,
   char *homedir;
   char *tbf = NULL;
   char const *path = NULL;
+  char const *tls_ciphers = NULL;
   unsigned tls_version = 1;
   unsigned tls_timeout = 300;
   unsigned tls_verify = 0;
@@ -198,6 +199,7 @@ static int tport_tls_init_master(tport_primary_t *pri,
 
   tl_gets(tags,
 	  TPTAG_CERTIFICATE_REF(path),
+	  TPTAG_TLS_CIPHERS_REF(tls_ciphers),
 	  TPTAG_TLS_VERSION_REF(tls_version),
 	  TPTAG_TLS_TIMEOUT_REF(tls_timeout),
 	  TPTAG_TLS_VERIFY_PEER_REF(tls_verify),
@@ -229,6 +231,7 @@ static int tport_tls_init_master(tport_primary_t *pri,
     ti.CAfile = su_sprintf(autohome, "%s/%s", path, "cafile.pem");
 	if (access(ti.CAfile, R_OK) != 0) ti.CAfile = NULL;
     if (!ti.CAfile) ti.CAfile = su_sprintf(autohome, "%s/%s", path, "tls.pem");
+    if (tls_ciphers) ti.ciphers = su_strdup(autohome, tls_ciphers);
     ti.version = tls_version;
     ti.timeout = tls_timeout;
     ti.CApath = su_strdup(autohome, path);