diff --git a/ChangeLog b/ChangeLog index a0a8a18f9..142ea30be 100644 --- a/ChangeLog +++ b/ChangeLog @@ -20,6 +20,8 @@ Features * Optimize for RAM usage in example config.h for NSA Suite B profile. * Add POLARSSL_REMOVE_ARC4_CIPHERSUITES to allow removing RC4 ciphersuites from the default list (inactive by default). + * Add SSL_CIPHERSUITES config.h flag to allow specifying a list of + ciphersuites to use and save some memory if the list is small. Changes * Add LINK_WITH_PTHREAD option in CMake for explicit linking that is diff --git a/include/polarssl/config.h b/include/polarssl/config.h index bfd68c401..e83518a84 100644 --- a/include/polarssl/config.h +++ b/include/polarssl/config.h @@ -2155,6 +2155,20 @@ //#define SSL_MAX_CONTENT_LEN 16384 /**< Size of the input / output buffer */ //#define SSL_DEFAULT_TICKET_LIFETIME 86400 /**< Lifetime of session tickets (if enabled) */ +/** + * Complete list of ciphersuites to use, in order of preference. + * + * \warning No dependency checking is done on that field! This option can only + * be used to restrict the set of available ciphersuites. It is your + * responsibility to make sure the needed modules are active. + * + * Use this to save a few hundred bytes of ROM (default ordering of all + * available ciphersuites) and a few to a few hundred bytes of RAM. + * + * The value below is only an example, not the default. + */ +//#define SSL_CIPHERSUITES TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 + /* Debug options */ //#define POLARSSL_DEBUG_DFL_MODE POLARSSL_DEBUG_LOG_FULL /**< Default log: Full or Raw */ diff --git a/library/ssl_ciphersuites.c b/library/ssl_ciphersuites.c index ea12146ef..df838e260 100644 --- a/library/ssl_ciphersuites.c +++ b/library/ssl_ciphersuites.c @@ -57,6 +57,9 @@ */ static const int ciphersuite_preference[] = { +#if defined(SSL_CIPHERSUITES) + SSL_CIPHERSUITES, +#else /* All AES-256 ephemeral suites */ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, @@ -257,6 +260,7 @@ static const int ciphersuite_preference[] = TLS_PSK_WITH_NULL_SHA256, TLS_PSK_WITH_NULL_SHA, +#endif 0 }; @@ -1675,6 +1679,12 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] = { 0, "", 0, 0, 0, 0, 0, 0, 0, 0 } }; +#if defined(SSL_CIPHERSUITES) +const int *ssl_list_ciphersuites( void ) +{ + return( ciphersuite_preference ); +} +#else #define MAX_CIPHERSUITES sizeof( ciphersuite_definitions ) / \ sizeof( ciphersuite_definitions[0] ) static int supported_ciphersuites[MAX_CIPHERSUITES]; @@ -1711,6 +1721,7 @@ const int *ssl_list_ciphersuites( void ) return( supported_ciphersuites ); }; +#endif /* SSL_CIPHERSUITES */ const ssl_ciphersuite_t *ssl_ciphersuite_from_string( const char *ciphersuite_name )