From cee427002beeb39a022dcf132d30567ece6d2a85 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 26 Apr 2021 11:34:44 +0200 Subject: [PATCH] Remove MBEDTLS_ENABLE_WEAK_CIPHERSUITES configuration option Fix 4416 Signed-off-by: Ronald Cron --- configs/config-psa-crypto.h | 17 +---------------- include/mbedtls/config.h | 17 +---------------- library/ssl_ciphersuites.c | 3 --- library/version_features.c | 3 --- programs/test/query_config.c | 8 -------- 5 files changed, 2 insertions(+), 46 deletions(-) diff --git a/configs/config-psa-crypto.h b/configs/config-psa-crypto.h index 29c6d145c8..846900a30b 100644 --- a/configs/config-psa-crypto.h +++ b/configs/config-psa-crypto.h @@ -612,8 +612,7 @@ * Warning: Only do so when you know what you are doing. This allows for * encryption or channels without any security! * - * Requires MBEDTLS_ENABLE_WEAK_CIPHERSUITES as well to enable - * the following ciphersuites: + * To enable the following ciphersuites: * MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA * MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA * MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA @@ -654,20 +653,6 @@ #define MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN #define MBEDTLS_CIPHER_PADDING_ZEROS -/** - * \def MBEDTLS_ENABLE_WEAK_CIPHERSUITES - * - * Enable weak ciphersuites in SSL / TLS. - * Warning: Only do so when you know what you are doing. This allows for - * channels with virtually no security at all! - * - * Uncomment this macro to enable weak ciphersuites - * - * \warning DES is considered a weak cipher and its use constitutes a - * security risk. We recommend considering stronger ciphers instead. - */ -//#define MBEDTLS_ENABLE_WEAK_CIPHERSUITES - /** * \def MBEDTLS_ECP_DP_SECP192R1_ENABLED * diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index dabbb2889a..48d3052d21 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -659,8 +659,7 @@ * Warning: Only do so when you know what you are doing. This allows for * encryption or channels without any security! * - * Requires MBEDTLS_ENABLE_WEAK_CIPHERSUITES as well to enable - * the following ciphersuites: + * To enable the following ciphersuites: * MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA * MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA * MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA @@ -708,20 +707,6 @@ */ //#define MBEDTLS_CTR_DRBG_USE_128_BIT_KEY -/** - * \def MBEDTLS_ENABLE_WEAK_CIPHERSUITES - * - * Enable weak ciphersuites in SSL / TLS. - * Warning: Only do so when you know what you are doing. This allows for - * channels with virtually no security at all! - * - * Uncomment this macro to enable weak ciphersuites - * - * \warning DES is considered a weak cipher and its use constitutes a - * security risk. We recommend considering stronger ciphers instead. - */ -//#define MBEDTLS_ENABLE_WEAK_CIPHERSUITES - /** * \def MBEDTLS_REMOVE_3DES_CIPHERSUITES * diff --git a/library/ssl_ciphersuites.c b/library/ssl_ciphersuites.c index 49e078407e..f51f2026d0 100644 --- a/library/ssl_ciphersuites.c +++ b/library/ssl_ciphersuites.c @@ -1534,7 +1534,6 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = #endif /* MBEDTLS_AES_C */ #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ -#if defined(MBEDTLS_ENABLE_WEAK_CIPHERSUITES) #if defined(MBEDTLS_CIPHER_NULL_CIPHER) #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) #if defined(MBEDTLS_MD5_C) @@ -1667,8 +1666,6 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ #endif /* MBEDTLS_CIPHER_NULL_CIPHER */ -#endif /* MBEDTLS_ENABLE_WEAK_CIPHERSUITES */ - #if defined(MBEDTLS_ARIA_C) #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) diff --git a/library/version_features.c b/library/version_features.c index 7af2474fe3..11c5f0968c 100644 --- a/library/version_features.c +++ b/library/version_features.c @@ -300,9 +300,6 @@ static const char * const features[] = { #if defined(MBEDTLS_CTR_DRBG_USE_128_BIT_KEY) "MBEDTLS_CTR_DRBG_USE_128_BIT_KEY", #endif /* MBEDTLS_CTR_DRBG_USE_128_BIT_KEY */ -#if defined(MBEDTLS_ENABLE_WEAK_CIPHERSUITES) - "MBEDTLS_ENABLE_WEAK_CIPHERSUITES", -#endif /* MBEDTLS_ENABLE_WEAK_CIPHERSUITES */ #if defined(MBEDTLS_REMOVE_3DES_CIPHERSUITES) "MBEDTLS_REMOVE_3DES_CIPHERSUITES", #endif /* MBEDTLS_REMOVE_3DES_CIPHERSUITES */ diff --git a/programs/test/query_config.c b/programs/test/query_config.c index 05b3df8240..ab9e2f7aaf 100644 --- a/programs/test/query_config.c +++ b/programs/test/query_config.c @@ -851,14 +851,6 @@ int query_config( const char *config ) } #endif /* MBEDTLS_CTR_DRBG_USE_128_BIT_KEY */ -#if defined(MBEDTLS_ENABLE_WEAK_CIPHERSUITES) - if( strcmp( "MBEDTLS_ENABLE_WEAK_CIPHERSUITES", config ) == 0 ) - { - MACRO_EXPANSION_TO_STR( MBEDTLS_ENABLE_WEAK_CIPHERSUITES ); - return( 0 ); - } -#endif /* MBEDTLS_ENABLE_WEAK_CIPHERSUITES */ - #if defined(MBEDTLS_REMOVE_3DES_CIPHERSUITES) if( strcmp( "MBEDTLS_REMOVE_3DES_CIPHERSUITES", config ) == 0 ) {