mbedtls_ssl_conf_arc4_support() depends on ARC4_C

2025-11-03 20:22:59 -05:00 · 2015-05-14 12:28:21 +02:00 · 2015-05-14 12:28:21 +02:00 · 66dc5555f0
commit 66dc5555f0
parent 22404866af
6 changed files with 23 additions and 5 deletions
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@ -911,10 +911,12 @@ typedef struct

    unsigned int endpoint : 1;      /*!< 0: client, 1: server               */
    unsigned int transport : 1;     /*!< stream (TLS) or datagram (DTLS)    */
-    unsigned int arc4_disabled : 1; /*!< blacklist RC4 ciphersuites?        */
    unsigned int authmode : 2;      /*!< MBEDTLS_SSL_VERIFY_XXX             */
    /* needed even with renego disabled for LEGACY_BREAK_HANDSHAKE          */
    unsigned int allow_legacy_renegotiation : 2 ; /*!< MBEDTLS_LEGACY_XXX   */
+#if defined(MBEDTLS_ARC4_C)
+    unsigned int arc4_disabled : 1; /*!< blacklist RC4 ciphersuites?        */
+#endif
 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
    unsigned int mfl_code : 3;      /*!< desired fragment length            */
 #endif
@ -1928,6 +1930,7 @@ void mbedtls_ssl_conf_encrypt_then_mac( mbedtls_ssl_config *conf, char etm );
 void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems );
 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */

+#if defined(MBEDTLS_ARC4_C)
 /**
 * \brief          Disable or enable support for RC4
 *                 (Default: MBEDTLS_SSL_ARC4_DISABLED)
@ -1942,6 +1945,7 @@ void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems
 * \param arc4     MBEDTLS_SSL_ARC4_ENABLED or MBEDTLS_SSL_ARC4_DISABLED
 */
 void mbedtls_ssl_conf_arc4_support( mbedtls_ssl_config *conf, char arc4 );
+#endif /* MBEDTLS_ARC4_C */

 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
 /**
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@ -711,9 +711,11 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
            continue;
 #endif

+#if defined(MBEDTLS_ARC4_C)
        if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED &&
            ciphersuite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
            continue;
+#endif

        MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %2d",
                       ciphersuites[i] ) );
@ -1405,15 +1407,17 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[37 + n] ) );

    suite_info = mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite );
-    if( suite_info == NULL ||
-        ( ssl->conf->arc4_disabled &&
-          suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 ) )
+    if( suite_info == NULL
+#if defined(MBEDTLS_ARC4_C)
+            || ( ssl->conf->arc4_disabled &&
+                suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
+#endif
+        )
    {
        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
    }

-
    i = 0;
    while( 1 )
    {
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@ -969,12 +969,14 @@ static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id,
        return( 0 );
 #endif

+#if defined(MBEDTLS_ARC4_C)
    if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED &&
            suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
    {
        MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: rc4" ) );
        return( 0 );
    }
+#endif

 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
    if( mbedtls_ssl_ciphersuite_uses_ec( suite_info ) &&
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -5627,10 +5627,12 @@ void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems
 }
 #endif

+#if defined(MBEDTLS_ARC4_C)
 void mbedtls_ssl_conf_arc4_support( mbedtls_ssl_config *conf, char arc4 )
 {
    conf->arc4_disabled = arc4;
 }
+#endif

 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
 int mbedtls_ssl_conf_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_code )
@ -6679,7 +6681,9 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
    conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] =
                           mbedtls_ssl_list_ciphersuites();

+#if defined(MBEDTLS_ARC4_C)
    conf->arc4_disabled = MBEDTLS_SSL_ARC4_DISABLED;
+#endif

 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
    conf->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@ -1116,8 +1116,10 @@ int main( int argc, char *argv[] )
    if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER )
        mbedtls_ssl_conf_ciphersuites( &conf, opt.force_ciphersuite );

+#if defined(MBEDTLS_ARC4_C)
    if( opt.arc4 != DFL_ARC4 )
        mbedtls_ssl_conf_arc4_support( &conf, opt.arc4 );
+#endif

    if( opt.allow_legacy != DFL_ALLOW_LEGACY )
        mbedtls_ssl_conf_legacy_renegotiation( &conf, opt.allow_legacy );
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@ -1637,8 +1637,10 @@ int main( int argc, char *argv[] )
    if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER )
        mbedtls_ssl_conf_ciphersuites( &conf, opt.force_ciphersuite );

+#if defined(MBEDTLS_ARC4_C)
    if( opt.arc4 != DFL_ARC4 )
        mbedtls_ssl_conf_arc4_support( &conf, opt.arc4 );
+#endif

    if( opt.version_suites != NULL )
    {