From 7e37338ddafbc7b47d079c57c6d93242cf21599e Mon Sep 17 00:00:00 2001
From: Mateusz Starzyk <mateusz.starzyk@mobica.com>
Date: Wed, 24 Feb 2021 17:03:56 +0100
Subject: [PATCH] Drop single-DES ciphersuites.

Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
---
 ChangeLog.d/remove_obsolete_tls_features.txt |  1 +
 configs/config-psa-crypto.h                  |  4 ---
 include/mbedtls/config.h                     |  4 ---
 include/mbedtls/ssl_ciphersuites.h           |  3 ---
 library/ssl_ciphersuites.c                   | 27 --------------------
 5 files changed, 1 insertion(+), 38 deletions(-)

diff --git a/ChangeLog.d/remove_obsolete_tls_features.txt b/ChangeLog.d/remove_obsolete_tls_features.txt
index 222903c6c1..d155b5b7f0 100644
--- a/ChangeLog.d/remove_obsolete_tls_features.txt
+++ b/ChangeLog.d/remove_obsolete_tls_features.txt
@@ -4,3 +4,4 @@ API changes
    * Drop support for compatibility with our own previous buggy implementation of truncated HMAC (MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT).
    * Drop support for TLS record-level compression (MBEDTLS_ZLIB_SUPPORT).
    * Drop support for RC4 TLS ciphersuites.
+   * Drop single-DES ciphersuites.
diff --git a/configs/config-psa-crypto.h b/configs/config-psa-crypto.h
index 15af1800ad..043dccee44 100644
--- a/configs/config-psa-crypto.h
+++ b/configs/config-psa-crypto.h
@@ -661,10 +661,6 @@
  * Warning: Only do so when you know what you are doing. This allows for
  * channels with virtually no security at all!
  *
- * This enables the following ciphersuites:
- *      MBEDTLS_TLS_RSA_WITH_DES_CBC_SHA
- *      MBEDTLS_TLS_DHE_RSA_WITH_DES_CBC_SHA
- *
  * Uncomment this macro to enable weak ciphersuites
  *
  * \warning   DES is considered a weak cipher and its use constitutes a
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index 176e6bc6e4..95dd36752f 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -702,10 +702,6 @@
  * Warning: Only do so when you know what you are doing. This allows for
  * channels with virtually no security at all!
  *
- * This enables the following ciphersuites:
- *      MBEDTLS_TLS_RSA_WITH_DES_CBC_SHA
- *      MBEDTLS_TLS_DHE_RSA_WITH_DES_CBC_SHA
- *
  * Uncomment this macro to enable weak ciphersuites
  *
  * \warning   DES is considered a weak cipher and its use constitutes a
diff --git a/include/mbedtls/ssl_ciphersuites.h b/include/mbedtls/ssl_ciphersuites.h
index ff6635408d..3eacfb5a3e 100644
--- a/include/mbedtls/ssl_ciphersuites.h
+++ b/include/mbedtls/ssl_ciphersuites.h
@@ -42,11 +42,8 @@ extern "C" {
 #define MBEDTLS_TLS_RSA_WITH_NULL_MD5                    0x01   /**< Weak! */
 #define MBEDTLS_TLS_RSA_WITH_NULL_SHA                    0x02   /**< Weak! */
 
-#define MBEDTLS_TLS_RSA_WITH_DES_CBC_SHA                 0x09   /**< Weak! Not in TLS 1.2 */
-
 #define MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA            0x0A
 
-#define MBEDTLS_TLS_DHE_RSA_WITH_DES_CBC_SHA             0x15   /**< Weak! Not in TLS 1.2 */
 #define MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA        0x16
 
 #define MBEDTLS_TLS_PSK_WITH_NULL_SHA                    0x2C   /**< Weak! */
diff --git a/library/ssl_ciphersuites.c b/library/ssl_ciphersuites.c
index 8d0d088fef..49e078407e 100644
--- a/library/ssl_ciphersuites.c
+++ b/library/ssl_ciphersuites.c
@@ -266,10 +266,6 @@ static const int ciphersuite_preference[] =
     MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA,
     MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA,
 
-    /* Weak suites */
-    MBEDTLS_TLS_DHE_RSA_WITH_DES_CBC_SHA,
-    MBEDTLS_TLS_RSA_WITH_DES_CBC_SHA,
-
     /* NULL suites */
     MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA,
     MBEDTLS_TLS_ECDHE_RSA_WITH_NULL_SHA,
@@ -1671,29 +1667,6 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
 #endif /* MBEDTLS_CIPHER_NULL_CIPHER */
 
-#if defined(MBEDTLS_DES_C)
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
-#if defined(MBEDTLS_SHA1_C)
-    { MBEDTLS_TLS_DHE_RSA_WITH_DES_CBC_SHA, "TLS-DHE-RSA-WITH-DES-CBC-SHA",
-      MBEDTLS_CIPHER_DES_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
-      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
-      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
-      MBEDTLS_CIPHERSUITE_WEAK },
-#endif /* MBEDTLS_SHA1_C */
-#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
-
-#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
-#if defined(MBEDTLS_SHA1_C)
-    { MBEDTLS_TLS_RSA_WITH_DES_CBC_SHA, "TLS-RSA-WITH-DES-CBC-SHA",
-      MBEDTLS_CIPHER_DES_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
-      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
-      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
-      MBEDTLS_CIPHERSUITE_WEAK },
-#endif /* MBEDTLS_SHA1_C */
-#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
-#endif /* MBEDTLS_DES_C */
 #endif /* MBEDTLS_ENABLE_WEAK_CIPHERSUITES */
 
 #if defined(MBEDTLS_ARIA_C)