Add SSL_CIPHERSUITES config option
diff --git a/ChangeLog b/ChangeLog
index a0a8a18..142ea30 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -20,6 +20,8 @@
* Optimize for RAM usage in example config.h for NSA Suite B profile.
* Add POLARSSL_REMOVE_ARC4_CIPHERSUITES to allow removing RC4 ciphersuites
from the default list (inactive by default).
+ * Add SSL_CIPHERSUITES config.h flag to allow specifying a list of
+ ciphersuites to use and save some memory if the list is small.
Changes
* Add LINK_WITH_PTHREAD option in CMake for explicit linking that is
diff --git a/include/polarssl/config.h b/include/polarssl/config.h
index bfd68c4..e83518a 100644
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h
@@ -2155,6 +2155,20 @@
//#define SSL_MAX_CONTENT_LEN 16384 /**< Size of the input / output buffer */
//#define SSL_DEFAULT_TICKET_LIFETIME 86400 /**< Lifetime of session tickets (if enabled) */
+/**
+ * Complete list of ciphersuites to use, in order of preference.
+ *
+ * \warning No dependency checking is done on that field! This option can only
+ * be used to restrict the set of available ciphersuites. It is your
+ * responsibility to make sure the needed modules are active.
+ *
+ * Use this to save a few hundred bytes of ROM (default ordering of all
+ * available ciphersuites) and a few to a few hundred bytes of RAM.
+ *
+ * The value below is only an example, not the default.
+ */
+//#define SSL_CIPHERSUITES TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+
/* Debug options */
//#define POLARSSL_DEBUG_DFL_MODE POLARSSL_DEBUG_LOG_FULL /**< Default log: Full or Raw */
diff --git a/library/ssl_ciphersuites.c b/library/ssl_ciphersuites.c
index ea12146..df838e2 100644
--- a/library/ssl_ciphersuites.c
+++ b/library/ssl_ciphersuites.c
@@ -57,6 +57,9 @@
*/
static const int ciphersuite_preference[] =
{
+#if defined(SSL_CIPHERSUITES)
+ SSL_CIPHERSUITES,
+#else
/* All AES-256 ephemeral suites */
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
@@ -257,6 +260,7 @@
TLS_PSK_WITH_NULL_SHA256,
TLS_PSK_WITH_NULL_SHA,
+#endif
0
};
@@ -1675,6 +1679,12 @@
{ 0, "", 0, 0, 0, 0, 0, 0, 0, 0 }
};
+#if defined(SSL_CIPHERSUITES)
+const int *ssl_list_ciphersuites( void )
+{
+ return( ciphersuite_preference );
+}
+#else
#define MAX_CIPHERSUITES sizeof( ciphersuite_definitions ) / \
sizeof( ciphersuite_definitions[0] )
static int supported_ciphersuites[MAX_CIPHERSUITES];
@@ -1711,6 +1721,7 @@
return( supported_ciphersuites );
};
+#endif /* SSL_CIPHERSUITES */
const ssl_ciphersuite_t *ssl_ciphersuite_from_string(
const char *ciphersuite_name )