Add POLARSSL_REMOVE_RC4_CIPHERSUITES
diff --git a/ChangeLog b/ChangeLog
index a16a948..a0a8a18 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -18,6 +18,8 @@
* Blowfish in the cipher layer now supports variable length keys.
* Add example config.h for PSK with CCM, optimized for low RAM usage.
* Optimize for RAM usage in example config.h for NSA Suite B profile.
+ * Add POLARSSL_REMOVE_ARC4_CIPHERSUITES to allow removing RC4 ciphersuites
+ from the default list (inactive by default).
Changes
* Add LINK_WITH_PTHREAD option in CMake for explicit linking that is
diff --git a/include/polarssl/config.h b/include/polarssl/config.h
index 0dca560..9aae611 100644
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h
@@ -315,6 +315,19 @@
//#define POLARSSL_ENABLE_WEAK_CIPHERSUITES
/**
+ * \def POLARSSL_REMOVE_ARC4_CIPHERSUITES
+ *
+ * Remove RC4 ciphersuites by default in SSL / TLS.
+ * This flag removes the ciphersuites based on RC4 from the default list as
+ * returned by ssl_list_ciphersuites(). However, it is still possible to
+ * enable (some of) them with ssl_set_ciphersuites() by including them
+ * explicitly.
+ *
+ * Uncomment this macro to remove RC4 ciphersuites by default.
+ */
+//#define POLARSSL_REMOVE_ARC4_CIPHERSUITES
+
+/**
* \def POLARSSL_ECP_XXXX_ENABLED
*
* Enables specific curves within the Elliptic Curve module.
diff --git a/library/ssl_ciphersuites.c b/library/ssl_ciphersuites.c
index 7463353..608e26d 100644
--- a/library/ssl_ciphersuites.c
+++ b/library/ssl_ciphersuites.c
@@ -1694,7 +1694,13 @@
for( i = 0; i < max - 1 && p[i] != 0; i++ )
{
+#if defined(POLARSSL_REMOVE_ARC4_CIPHERSUITES)
+ const ssl_ciphersuite_t *cs_info;
+ if( ( cs_info = ssl_ciphersuite_from_id( p[i] ) ) != NULL &&
+ cs_info->cipher != POLARSSL_CIPHER_ARC4_128 )
+#else
if( ssl_ciphersuite_from_id( p[i] ) != NULL )
+#endif
*(q++) = p[i];
}
*q = 0;