Add ssl_set_arc4_support()

Rationale: if people want to disable RC4 but otherwise keep the default suite list, it was cumbersome. Also, since it uses a global array, ssl_list_ciphersuite() is not a convenient place. So the SSL modules look like the best place, even if it means temporarily adding one SSL setting.
2025-08-08 17:42:09 +03:00 · 2015-01-12 13:43:29 +01:00
parent 448ea506bf
commit bd47a58221
9 changed files with 114 additions and 15 deletions
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -588,6 +588,10 @@ static int ssl_write_client_hello( ssl_context *ssl )
            ciphersuite_info->max_minor_ver < ssl->min_minor_ver )
            continue;

+        if( ssl->arc4_disabled == SSL_ARC4_DISABLED &&
+            ciphersuite_info->cipher == POLARSSL_CIPHER_ARC4_128 )
+            continue;
+
        SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %2d",
                       ciphersuites[i] ) );

@@ -879,6 +883,7 @@ static int ssl_parse_server_hello( ssl_context *ssl )
    unsigned char *buf, *ext;
    int renegotiation_info_seen = 0;
    int handshake_failure = 0;
+    const ssl_ciphersuite_t *suite_info;
 #if defined(POLARSSL_DEBUG_C)
    uint32_t t;
 #endif
@@ -1059,6 +1064,16 @@ static int ssl_parse_server_hello( ssl_context *ssl )
    SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %d", i ) );
    SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[41 + n] ) );

+    suite_info = ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite );
+    if( suite_info == NULL ||
+        ( ssl->arc4_disabled &&
+          suite_info->cipher == POLARSSL_CIPHER_ARC4_128 ) )
+    {
+        SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
+        return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
+    }
+
+
    i = 0;
    while( 1 )
    {
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -847,6 +847,10 @@ static int ssl_ciphersuite_match( ssl_context *ssl, int suite_id,
        suite_info->max_minor_ver < ssl->minor_ver )
        return( 0 );

+    if( ssl->arc4_disabled == SSL_ARC4_DISABLED &&
+            suite_info->cipher == POLARSSL_CIPHER_ARC4_128 )
+        return( 0 );
+
 #if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
    if( ssl_ciphersuite_uses_ec( suite_info ) &&
        ( ssl->handshake->curves == NULL ||
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -3977,6 +3977,11 @@ void ssl_set_min_version( ssl_context *ssl, int major, int minor )
    }
 }

+void ssl_set_arc4_support( ssl_context *ssl, char arc4 )
+{
+    ssl->arc4_disabled = arc4;
+}
+
 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
 int ssl_set_max_frag_len( ssl_context *ssl, unsigned char mfl_code )
 {