Drop single-DES ciphersuites.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
diff --git a/ChangeLog.d/remove_obsolete_tls_features.txt b/ChangeLog.d/remove_obsolete_tls_features.txt
index 222903c..d155b5b 100644
--- a/ChangeLog.d/remove_obsolete_tls_features.txt
+++ b/ChangeLog.d/remove_obsolete_tls_features.txt
@@ -4,3 +4,4 @@
* Drop support for compatibility with our own previous buggy implementation of truncated HMAC (MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT).
* Drop support for TLS record-level compression (MBEDTLS_ZLIB_SUPPORT).
* Drop support for RC4 TLS ciphersuites.
+ * Drop single-DES ciphersuites.
diff --git a/configs/config-psa-crypto.h b/configs/config-psa-crypto.h
index 15af180..043dcce 100644
--- a/configs/config-psa-crypto.h
+++ b/configs/config-psa-crypto.h
@@ -661,10 +661,6 @@
* Warning: Only do so when you know what you are doing. This allows for
* channels with virtually no security at all!
*
- * This enables the following ciphersuites:
- * MBEDTLS_TLS_RSA_WITH_DES_CBC_SHA
- * MBEDTLS_TLS_DHE_RSA_WITH_DES_CBC_SHA
- *
* Uncomment this macro to enable weak ciphersuites
*
* \warning DES is considered a weak cipher and its use constitutes a
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index 176e6bc..95dd367 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -702,10 +702,6 @@
* Warning: Only do so when you know what you are doing. This allows for
* channels with virtually no security at all!
*
- * This enables the following ciphersuites:
- * MBEDTLS_TLS_RSA_WITH_DES_CBC_SHA
- * MBEDTLS_TLS_DHE_RSA_WITH_DES_CBC_SHA
- *
* Uncomment this macro to enable weak ciphersuites
*
* \warning DES is considered a weak cipher and its use constitutes a
diff --git a/include/mbedtls/ssl_ciphersuites.h b/include/mbedtls/ssl_ciphersuites.h
index ff66354..3eacfb5 100644
--- a/include/mbedtls/ssl_ciphersuites.h
+++ b/include/mbedtls/ssl_ciphersuites.h
@@ -42,11 +42,8 @@
#define MBEDTLS_TLS_RSA_WITH_NULL_MD5 0x01 /**< Weak! */
#define MBEDTLS_TLS_RSA_WITH_NULL_SHA 0x02 /**< Weak! */
-#define MBEDTLS_TLS_RSA_WITH_DES_CBC_SHA 0x09 /**< Weak! Not in TLS 1.2 */
-
#define MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA 0x0A
-#define MBEDTLS_TLS_DHE_RSA_WITH_DES_CBC_SHA 0x15 /**< Weak! Not in TLS 1.2 */
#define MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 0x16
#define MBEDTLS_TLS_PSK_WITH_NULL_SHA 0x2C /**< Weak! */
diff --git a/library/ssl_ciphersuites.c b/library/ssl_ciphersuites.c
index 8d0d088..49e0784 100644
--- a/library/ssl_ciphersuites.c
+++ b/library/ssl_ciphersuites.c
@@ -266,10 +266,6 @@
MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA,
MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA,
- /* Weak suites */
- MBEDTLS_TLS_DHE_RSA_WITH_DES_CBC_SHA,
- MBEDTLS_TLS_RSA_WITH_DES_CBC_SHA,
-
/* NULL suites */
MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA,
MBEDTLS_TLS_ECDHE_RSA_WITH_NULL_SHA,
@@ -1671,29 +1667,6 @@
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
#endif /* MBEDTLS_CIPHER_NULL_CIPHER */
-#if defined(MBEDTLS_DES_C)
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
-#if defined(MBEDTLS_SHA1_C)
- { MBEDTLS_TLS_DHE_RSA_WITH_DES_CBC_SHA, "TLS-DHE-RSA-WITH-DES-CBC-SHA",
- MBEDTLS_CIPHER_DES_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
- MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
- MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
- MBEDTLS_CIPHERSUITE_WEAK },
-#endif /* MBEDTLS_SHA1_C */
-#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
-
-#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
-#if defined(MBEDTLS_SHA1_C)
- { MBEDTLS_TLS_RSA_WITH_DES_CBC_SHA, "TLS-RSA-WITH-DES-CBC-SHA",
- MBEDTLS_CIPHER_DES_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
- MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
- MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
- MBEDTLS_CIPHERSUITE_WEAK },
-#endif /* MBEDTLS_SHA1_C */
-#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
-#endif /* MBEDTLS_DES_C */
#endif /* MBEDTLS_ENABLE_WEAK_CIPHERSUITES */
#if defined(MBEDTLS_ARIA_C)