From 27b96753e2df44d5afa3eb9135e5426bb80fc519 Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Wed, 28 Jul 2021 10:31:15 -0700
Subject: [PATCH] Disable RC4 unless forcefully enabled with `--enable-rc4` or
 if `WOLFSSL_ALLOW_RC4` is specified. Related to issue #4248

---
 configure.ac                 | 31 +++++++++++++++++++------------
 wolfssl/wolfcrypt/settings.h | 13 +++++++++++++
 2 files changed, 32 insertions(+), 12 deletions(-)

diff --git a/configure.ac b/configure.ac
index f18f1aeeb..478768e06 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2681,14 +2681,11 @@ then
     # Requires PSK make sure on
     if test "x$ENABLED_PSK" = "xno"
     then
-       ENABLED_PSK="yes"
+        ENABLED_PSK="yes"
     fi
 
-    # Requires RC4 make sure on
-    if test "x$ENABLED_ARC4" = "xno"
-    then
-       ENABLED_ARC4="yes"
-    fi
+    # Requires RC4 make sure on (if not forcefully disabled with --disable-arc4)
+    test "$enable_arc4" = "" && enable_arc4=yes
 
     if test "x$ENABLED_CERTEXT" = "xno"
     then
@@ -3021,17 +3018,18 @@ then
 fi
 
 # ARC4
+if test "$ENABLED_OPENSSH" = "yes" || test "$ENABLED_WPAS" = "yes"
+then
+    # Requires RC4 make sure on (if not forcefully disabled with --disable-arc4)
+    test "$enable_arc4" = "" && enable_arc4=yes
+fi
+
 AC_ARG_ENABLE([arc4],
     [AS_HELP_STRING([--enable-arc4],[Enable ARC4 (default: disabled)])],
     [ ENABLED_ARC4=$enableval ],
     [ ENABLED_ARC4=no ]
     )
 
-if test "$ENABLED_OPENSSH" = "yes" || test "$ENABLED_WPAS" = "yes"
-then
-    ENABLED_ARC4="yes"
-fi
-
 if test "$ENABLED_ARC4" = "no"
 then
     AM_CFLAGS="$AM_CFLAGS -DNO_RC4"
@@ -4415,7 +4413,7 @@ fi
 
 if test "$ENABLED_OPENSSH" = "yes" || test "$ENABLED_WPAS" = "yes" || test "$ENABLED_QT" = "yes"
 then
-    ENABLED_ARC4="yes"
+    test "$enable_arc4" = "" && enable_arc4=yes
 fi
 
 if test "$ENABLED_ARC4" = "no"
@@ -6378,6 +6376,15 @@ fi
 if test "x$ENABLED_CERTS" = "xno" || test "x$ENABLED_LEANPSK" = "xyes" || test "x$ENABLED_ASN" = "xno"; then
    AM_CFLAGS="$AM_CFLAGS -DNO_ASN -DNO_CERTS"
 fi
+
+
+# Depricated Algorithm Handling
+if test "$ENABLED_ARC4" = "yes"
+then
+    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALLOW_RC4"
+fi
+
+
 ################################################################################
 
 # USER SETTINGS
diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h
index d85af55e6..dbe4bd242 100644
--- a/wolfssl/wolfcrypt/settings.h
+++ b/wolfssl/wolfcrypt/settings.h
@@ -2497,6 +2497,19 @@ extern void uITRON4_free(void *p) ;
 #endif
 
 
+/* ---------------------------------------------------------------------------
+ * Depricated Algorithm Handling
+ *   Unless allowed via a build macro, disable support
+ * ---------------------------------------------------------------------------*/
+
+/* RC4: Per RFC7465 Feb 2015, the cipher suite has been deprecated due to a
+ * number of exploits capable of decrypting portions of encrypted messages. */
+#ifndef WOLFSSL_ALLOW_RC4
+    #undef  NO_RC4
+    #define NO_RC4
+#endif
+
+
 #ifdef __cplusplus
     }   /* extern "C" */
 #endif