From 01edb1044cada57f30fad6130a2e5b9acbc94004 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= <mpg@elzevir.fr>
Date: Tue, 24 Jun 2014 22:42:34 +0200
Subject: [PATCH] Add POLARSSL_REMOVE_RC4_CIPHERSUITES

---
 ChangeLog                  |  2 ++
 include/polarssl/config.h  | 13 +++++++++++++
 library/ssl_ciphersuites.c |  6 ++++++
 3 files changed, 21 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index a16a948d7..a0a8a18f9 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -18,6 +18,8 @@ Features
    * Blowfish in the cipher layer now supports variable length keys.
    * Add example config.h for PSK with CCM, optimized for low RAM usage.
    * Optimize for RAM usage in example config.h for NSA Suite B profile.
+   * Add POLARSSL_REMOVE_ARC4_CIPHERSUITES to allow removing RC4 ciphersuites
+     from the default list (inactive by default).
 
 Changes
    * Add LINK_WITH_PTHREAD option in CMake for explicit linking that is
diff --git a/include/polarssl/config.h b/include/polarssl/config.h
index 0dca560e2..9aae6119c 100644
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h
@@ -314,6 +314,19 @@
  */
 //#define POLARSSL_ENABLE_WEAK_CIPHERSUITES
 
+/**
+ * \def POLARSSL_REMOVE_ARC4_CIPHERSUITES
+ *
+ * Remove RC4 ciphersuites by default in SSL / TLS.
+ * This flag removes the ciphersuites based on RC4 from the default list as
+ * returned by ssl_list_ciphersuites(). However, it is still possible to
+ * enable (some of) them with ssl_set_ciphersuites() by including them
+ * explicitly.
+ *
+ * Uncomment this macro to remove RC4 ciphersuites by default.
+ */
+//#define POLARSSL_REMOVE_ARC4_CIPHERSUITES
+
 /**
  * \def POLARSSL_ECP_XXXX_ENABLED
  *
diff --git a/library/ssl_ciphersuites.c b/library/ssl_ciphersuites.c
index 7463353f4..608e26d2f 100644
--- a/library/ssl_ciphersuites.c
+++ b/library/ssl_ciphersuites.c
@@ -1694,7 +1694,13 @@ const int *ssl_list_ciphersuites( void )
 
         for( i = 0; i < max - 1 && p[i] != 0; i++ )
         {
+#if defined(POLARSSL_REMOVE_ARC4_CIPHERSUITES)
+            const ssl_ciphersuite_t *cs_info;
+            if( ( cs_info = ssl_ciphersuite_from_id( p[i] ) ) != NULL &&
+                cs_info->cipher != POLARSSL_CIPHER_ARC4_128 )
+#else
             if( ssl_ciphersuite_from_id( p[i] ) != NULL )
+#endif
                 *(q++) = p[i];
         }
         *q = 0;