Add POLARSSL_REMOVE_RC4_CIPHERSUITES

ChangeLog

@@ -18,6 +18,8 @@ Features
    * Blowfish in the cipher layer now supports variable length keys.
    * Add example config.h for PSK with CCM, optimized for low RAM usage.
    * Optimize for RAM usage in example config.h for NSA Suite B profile.
+   * Add POLARSSL_REMOVE_ARC4_CIPHERSUITES to allow removing RC4 ciphersuites
+     from the default list (inactive by default).
 
 Changes
    * Add LINK_WITH_PTHREAD option in CMake for explicit linking that is

include/polarssl/config.h

@@ -314,6 +314,19 @@
  */
 //#define POLARSSL_ENABLE_WEAK_CIPHERSUITES
 
+/**
+ * \def POLARSSL_REMOVE_ARC4_CIPHERSUITES
+ *
+ * Remove RC4 ciphersuites by default in SSL / TLS.
+ * This flag removes the ciphersuites based on RC4 from the default list as
+ * returned by ssl_list_ciphersuites(). However, it is still possible to
+ * enable (some of) them with ssl_set_ciphersuites() by including them
+ * explicitly.
+ *
+ * Uncomment this macro to remove RC4 ciphersuites by default.
+ */
+//#define POLARSSL_REMOVE_ARC4_CIPHERSUITES
+
 /**
  * \def POLARSSL_ECP_XXXX_ENABLED
  *

library/ssl_ciphersuites.c

@@ -1694,7 +1694,13 @@ const int *ssl_list_ciphersuites( void )
 
         for( i = 0; i < max - 1 && p[i] != 0; i++ )
         {
+#if defined(POLARSSL_REMOVE_ARC4_CIPHERSUITES)
+            const ssl_ciphersuite_t *cs_info;
+            if( ( cs_info = ssl_ciphersuite_from_id( p[i] ) ) != NULL &&
+                cs_info->cipher != POLARSSL_CIPHER_ARC4_128 )
+#else
             if( ssl_ciphersuite_from_id( p[i] ) != NULL )
+#endif
                 *(q++) = p[i];
         }
         *q = 0;