Remove MBEDTLS_ENABLE_WEAK_CIPHERSUITES configuration option
Fix 4416
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
diff --git a/configs/config-psa-crypto.h b/configs/config-psa-crypto.h
index 29c6d14..846900a 100644
--- a/configs/config-psa-crypto.h
+++ b/configs/config-psa-crypto.h
@@ -612,8 +612,7 @@
* Warning: Only do so when you know what you are doing. This allows for
* encryption or channels without any security!
*
- * Requires MBEDTLS_ENABLE_WEAK_CIPHERSUITES as well to enable
- * the following ciphersuites:
+ * To enable the following ciphersuites:
* MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA
* MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA
* MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA
@@ -655,20 +654,6 @@
#define MBEDTLS_CIPHER_PADDING_ZEROS
/**
- * \def MBEDTLS_ENABLE_WEAK_CIPHERSUITES
- *
- * Enable weak ciphersuites in SSL / TLS.
- * Warning: Only do so when you know what you are doing. This allows for
- * channels with virtually no security at all!
- *
- * Uncomment this macro to enable weak ciphersuites
- *
- * \warning DES is considered a weak cipher and its use constitutes a
- * security risk. We recommend considering stronger ciphers instead.
- */
-//#define MBEDTLS_ENABLE_WEAK_CIPHERSUITES
-
-/**
* \def MBEDTLS_ECP_DP_SECP192R1_ENABLED
*
* MBEDTLS_ECP_XXXX_ENABLED: Enables specific curves within the Elliptic Curve
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index dabbb28..48d3052 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -659,8 +659,7 @@
* Warning: Only do so when you know what you are doing. This allows for
* encryption or channels without any security!
*
- * Requires MBEDTLS_ENABLE_WEAK_CIPHERSUITES as well to enable
- * the following ciphersuites:
+ * To enable the following ciphersuites:
* MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA
* MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA
* MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA
@@ -709,20 +708,6 @@
//#define MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
/**
- * \def MBEDTLS_ENABLE_WEAK_CIPHERSUITES
- *
- * Enable weak ciphersuites in SSL / TLS.
- * Warning: Only do so when you know what you are doing. This allows for
- * channels with virtually no security at all!
- *
- * Uncomment this macro to enable weak ciphersuites
- *
- * \warning DES is considered a weak cipher and its use constitutes a
- * security risk. We recommend considering stronger ciphers instead.
- */
-//#define MBEDTLS_ENABLE_WEAK_CIPHERSUITES
-
-/**
* \def MBEDTLS_REMOVE_3DES_CIPHERSUITES
*
* Remove 3DES ciphersuites by default in SSL / TLS.
diff --git a/library/ssl_ciphersuites.c b/library/ssl_ciphersuites.c
index 49e0784..f51f202 100644
--- a/library/ssl_ciphersuites.c
+++ b/library/ssl_ciphersuites.c
@@ -1534,7 +1534,6 @@
#endif /* MBEDTLS_AES_C */
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
-#if defined(MBEDTLS_ENABLE_WEAK_CIPHERSUITES)
#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
#if defined(MBEDTLS_MD5_C)
@@ -1667,8 +1666,6 @@
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
#endif /* MBEDTLS_CIPHER_NULL_CIPHER */
-#endif /* MBEDTLS_ENABLE_WEAK_CIPHERSUITES */
-
#if defined(MBEDTLS_ARIA_C)
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
diff --git a/library/version_features.c b/library/version_features.c
index 7af2474..11c5f09 100644
--- a/library/version_features.c
+++ b/library/version_features.c
@@ -300,9 +300,6 @@
#if defined(MBEDTLS_CTR_DRBG_USE_128_BIT_KEY)
"MBEDTLS_CTR_DRBG_USE_128_BIT_KEY",
#endif /* MBEDTLS_CTR_DRBG_USE_128_BIT_KEY */
-#if defined(MBEDTLS_ENABLE_WEAK_CIPHERSUITES)
- "MBEDTLS_ENABLE_WEAK_CIPHERSUITES",
-#endif /* MBEDTLS_ENABLE_WEAK_CIPHERSUITES */
#if defined(MBEDTLS_REMOVE_3DES_CIPHERSUITES)
"MBEDTLS_REMOVE_3DES_CIPHERSUITES",
#endif /* MBEDTLS_REMOVE_3DES_CIPHERSUITES */
diff --git a/programs/test/query_config.c b/programs/test/query_config.c
index 05b3df8..ab9e2f7 100644
--- a/programs/test/query_config.c
+++ b/programs/test/query_config.c
@@ -851,14 +851,6 @@
}
#endif /* MBEDTLS_CTR_DRBG_USE_128_BIT_KEY */
-#if defined(MBEDTLS_ENABLE_WEAK_CIPHERSUITES)
- if( strcmp( "MBEDTLS_ENABLE_WEAK_CIPHERSUITES", config ) == 0 )
- {
- MACRO_EXPANSION_TO_STR( MBEDTLS_ENABLE_WEAK_CIPHERSUITES );
- return( 0 );
- }
-#endif /* MBEDTLS_ENABLE_WEAK_CIPHERSUITES */
-
#if defined(MBEDTLS_REMOVE_3DES_CIPHERSUITES)
if( strcmp( "MBEDTLS_REMOVE_3DES_CIPHERSUITES", config ) == 0 )
{