Add SSL_CIPHERSUITES config option

2025-11-03 20:22:59 -05:00 · 2014-06-30 17:59:55 +02:00 · 2014-06-30 17:59:55 +02:00 · dfc7df0bec
commit dfc7df0bec
parent 791684c058
3 changed files with 27 additions and 0 deletions
--- a/2
+++ b/2
@ -20,6 +20,8 @@ Features
   * Optimize for RAM usage in example config.h for NSA Suite B profile.
   * Add POLARSSL_REMOVE_ARC4_CIPHERSUITES to allow removing RC4 ciphersuites
     from the default list (inactive by default).
+   * Add SSL_CIPHERSUITES config.h flag to allow specifying a list of
+     ciphersuites to use and save some memory if the list is small.

 Changes
   * Add LINK_WITH_PTHREAD option in CMake for explicit linking that is
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h
@ -2155,6 +2155,20 @@
 //#define SSL_MAX_CONTENT_LEN             16384 /**< Size of the input / output buffer */
 //#define SSL_DEFAULT_TICKET_LIFETIME     86400 /**< Lifetime of session tickets (if enabled) */

+/**
+ * Complete list of ciphersuites to use, in order of preference.
+ *
+ * \warning No dependency checking is done on that field! This option can only
+ * be used to restrict the set of available ciphersuites. It is your
+ * responsibility to make sure the needed modules are active.
+ *
+ * Use this to save a few hundred bytes of ROM (default ordering of all
+ * available ciphersuites) and a few to a few hundred bytes of RAM.
+ *
+ * The value below is only an example, not the default.
+ */
+//#define SSL_CIPHERSUITES TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+
 /* Debug options */
 //#define POLARSSL_DEBUG_DFL_MODE POLARSSL_DEBUG_LOG_FULL /**< Default log: Full or Raw */

--- a/library/ssl_ciphersuites.c
+++ b/library/ssl_ciphersuites.c
@ -57,6 +57,9 @@
 */
 static const int ciphersuite_preference[] =
 {
+#if defined(SSL_CIPHERSUITES)
+    SSL_CIPHERSUITES,
+#else
    /* All AES-256 ephemeral suites */
    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
@ -257,6 +260,7 @@ static const int ciphersuite_preference[] =
    TLS_PSK_WITH_NULL_SHA256,
    TLS_PSK_WITH_NULL_SHA,

+#endif
    0
 };

@ -1675,6 +1679,12 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] =
    { 0, "", 0, 0, 0, 0, 0, 0, 0, 0 }
 };

+#if defined(SSL_CIPHERSUITES)
+const int *ssl_list_ciphersuites( void )
+{
+    return( ciphersuite_preference );
+}
+#else
 #define MAX_CIPHERSUITES    sizeof( ciphersuite_definitions     ) /         \
                            sizeof( ciphersuite_definitions[0]  )
 static int supported_ciphersuites[MAX_CIPHERSUITES];
@ -1711,6 +1721,7 @@ const int *ssl_list_ciphersuites( void )

    return( supported_ciphersuites );
 };
+#endif /* SSL_CIPHERSUITES */

 const ssl_ciphersuite_t *ssl_ciphersuite_from_string(
                                                const char *ciphersuite_name )