no chacha

aws · Jul 11, 2024 · ba2ad3d · ba2ad3d
1 parent a6b4b9f
commit ba2ad3d
Show file tree

Hide file tree

Showing 5 changed files with 6 additions and 34 deletions.
diff --git a/default.diff b/default.diff
@@ -1,8 +1,8 @@
 diff --git a/default.old b/default.new
-index 5e6a085f9..24a1b9ef3 100644
+index 5e6a085f9..90fc3254a 100644
 --- a/default.old
 +++ b/default.new
-@@ -1,9 +1,12 @@
+@@ -1,9 +1,11 @@
 -name: 20240501
 +name: default
  min version: TLS1.2
@@ -12,7 +12,6 @@ index 5e6a085f9..24a1b9ef3 100644
  cipher suites:
 +- TLS_AES_256_GCM_SHA384
 +- TLS_AES_128_GCM_SHA256
-+- TLS_CHACHA20_POLY1305_SHA256
  - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
diff --git a/default.new b/default.new
@@ -6,7 +6,6 @@ rules:
 cipher suites:
 - TLS_AES_256_GCM_SHA384
 - TLS_AES_128_GCM_SHA256
-- TLS_CHACHA20_POLY1305_SHA256
 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
 - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

diff --git a/tls/s2n_cipher_preferences.c b/tls/s2n_cipher_preferences.c
@@ -329,10 +329,12 @@ const struct s2n_cipher_preferences cipher_preferences_20240331 = {
 
 /*
  * TLS1.3 support.
+ * FIPS compliant.
  * No DHE (would require extra setup with s2n_config_add_dhparams)
  */
 struct s2n_cipher_suite *cipher_suites_20240701[] = {
-    S2N_TLS13_CIPHER_SUITES_20190801,
+    &s2n_tls13_aes_256_gcm_sha384,
+    &s2n_tls13_aes_128_gcm_sha256,
     /* TLS1.2 with ECDSA */
     &s2n_ecdhe_ecdsa_with_aes_128_gcm_sha256,
     &s2n_ecdhe_ecdsa_with_aes_256_gcm_sha384,
@@ -352,33 +354,6 @@ const struct s2n_cipher_preferences cipher_preferences_20240701 = {
     .allow_chacha20_boosting = false,
 };
 
-/*
- * TLS1.3 support.
- * FIPS compliant.
- * No DHE (would require extra setup with s2n_config_add_dhparams)
- */
-struct s2n_cipher_suite *cipher_suites_20240702[] = {
-    &s2n_tls13_aes_256_gcm_sha384,
-    &s2n_tls13_aes_128_gcm_sha256,
-    /* TLS1.2 with ECDSA */
-    &s2n_ecdhe_ecdsa_with_aes_128_gcm_sha256,
-    &s2n_ecdhe_ecdsa_with_aes_256_gcm_sha384,
-    &s2n_ecdhe_ecdsa_with_aes_128_cbc_sha256,
-    &s2n_ecdhe_ecdsa_with_aes_256_cbc_sha384,
-
-    /* TLS1.2 with RSA */
-    &s2n_ecdhe_rsa_with_aes_128_gcm_sha256,
-    &s2n_ecdhe_rsa_with_aes_256_gcm_sha384,
-    &s2n_ecdhe_rsa_with_aes_128_cbc_sha256,
-    &s2n_ecdhe_rsa_with_aes_256_cbc_sha384,
-};
-
-const struct s2n_cipher_preferences cipher_preferences_20240702 = {
-    .count = s2n_array_len(cipher_suites_20240702),
-    .suites = cipher_suites_20240702,
-    .allow_chacha20_boosting = false,
-};
-
 /* Same as 20160411, but with ChaCha20 added as 1st in Preference List */
 struct s2n_cipher_suite *cipher_suites_20190122[] = {
     &s2n_ecdhe_rsa_with_chacha20_poly1305_sha256,

diff --git a/tls/s2n_cipher_preferences.h b/tls/s2n_cipher_preferences.h
@@ -28,7 +28,6 @@ struct s2n_cipher_preferences {
 };
 
 extern const struct s2n_cipher_preferences cipher_preferences_20240701;
-extern const struct s2n_cipher_preferences cipher_preferences_20240702;
 extern const struct s2n_cipher_preferences cipher_preferences_20230317;
 extern const struct s2n_cipher_preferences cipher_preferences_20240331;
 extern const struct s2n_cipher_preferences cipher_preferences_20140601;

diff --git a/tls/s2n_security_policies.c b/tls/s2n_security_policies.c
@@ -37,7 +37,7 @@ const struct s2n_security_policy security_policy_20240701 = {
 /* FIPS default as of 07/01. Supports TLS 1.3 */
 const struct s2n_security_policy security_policy_20240702 = {
     .minimum_protocol_version = S2N_TLS12,
-    .cipher_preferences = &cipher_preferences_20240702,
+    .cipher_preferences = &cipher_preferences_20240701,
     .kem_preferences = &kem_preferences_null,
     .signature_preferences = &s2n_signature_preferences_20240501,
     .certificate_signature_preferences = &s2n_certificate_signature_preferences_20201110,