From ba2ad3d9d04bc0b0ee87920fca673ac55e468eac Mon Sep 17 00:00:00 2001
From: Apoorv Kothari <apoorv@toidiu.com>
Date: Wed, 10 Jul 2024 22:21:58 -0700
Subject: [PATCH] no chacha

---
 default.diff                 |  5 ++---
 default.new                  |  1 -
 tls/s2n_cipher_preferences.c | 31 +++----------------------------
 tls/s2n_cipher_preferences.h |  1 -
 tls/s2n_security_policies.c  |  2 +-
 5 files changed, 6 insertions(+), 34 deletions(-)

diff --git a/default.diff b/default.diff
index 6bcbed3d838..520ee7a786e 100644
--- a/default.diff
+++ b/default.diff
@@ -1,8 +1,8 @@
 diff --git a/default.old b/default.new
-index 5e6a085f9..24a1b9ef3 100644
+index 5e6a085f9..90fc3254a 100644
 --- a/default.old
 +++ b/default.new
-@@ -1,9 +1,12 @@
+@@ -1,9 +1,11 @@
 -name: 20240501
 +name: default
  min version: TLS1.2
@@ -12,7 +12,6 @@ index 5e6a085f9..24a1b9ef3 100644
  cipher suites:
 +- TLS_AES_256_GCM_SHA384
 +- TLS_AES_128_GCM_SHA256
-+- TLS_CHACHA20_POLY1305_SHA256
  - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
diff --git a/default.new b/default.new
index 24a1b9ef395..90fc3254a41 100644
--- a/default.new
+++ b/default.new
@@ -6,7 +6,6 @@ rules:
 cipher suites:
 - TLS_AES_256_GCM_SHA384
 - TLS_AES_128_GCM_SHA256
-- TLS_CHACHA20_POLY1305_SHA256
 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
 - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
diff --git a/tls/s2n_cipher_preferences.c b/tls/s2n_cipher_preferences.c
index 4911959e3e7..d1fc5c51e14 100644
--- a/tls/s2n_cipher_preferences.c
+++ b/tls/s2n_cipher_preferences.c
@@ -329,10 +329,12 @@ const struct s2n_cipher_preferences cipher_preferences_20240331 = {
 
 /*
  * TLS1.3 support.
+ * FIPS compliant.
  * No DHE (would require extra setup with s2n_config_add_dhparams)
  */
 struct s2n_cipher_suite *cipher_suites_20240701[] = {
-    S2N_TLS13_CIPHER_SUITES_20190801,
+    &s2n_tls13_aes_256_gcm_sha384,
+    &s2n_tls13_aes_128_gcm_sha256,
     /* TLS1.2 with ECDSA */
     &s2n_ecdhe_ecdsa_with_aes_128_gcm_sha256,
     &s2n_ecdhe_ecdsa_with_aes_256_gcm_sha384,
@@ -352,33 +354,6 @@ const struct s2n_cipher_preferences cipher_preferences_20240701 = {
     .allow_chacha20_boosting = false,
 };
 
-/*
- * TLS1.3 support.
- * FIPS compliant.
- * No DHE (would require extra setup with s2n_config_add_dhparams)
- */
-struct s2n_cipher_suite *cipher_suites_20240702[] = {
-    &s2n_tls13_aes_256_gcm_sha384,
-    &s2n_tls13_aes_128_gcm_sha256,
-    /* TLS1.2 with ECDSA */
-    &s2n_ecdhe_ecdsa_with_aes_128_gcm_sha256,
-    &s2n_ecdhe_ecdsa_with_aes_256_gcm_sha384,
-    &s2n_ecdhe_ecdsa_with_aes_128_cbc_sha256,
-    &s2n_ecdhe_ecdsa_with_aes_256_cbc_sha384,
-
-    /* TLS1.2 with RSA */
-    &s2n_ecdhe_rsa_with_aes_128_gcm_sha256,
-    &s2n_ecdhe_rsa_with_aes_256_gcm_sha384,
-    &s2n_ecdhe_rsa_with_aes_128_cbc_sha256,
-    &s2n_ecdhe_rsa_with_aes_256_cbc_sha384,
-};
-
-const struct s2n_cipher_preferences cipher_preferences_20240702 = {
-    .count = s2n_array_len(cipher_suites_20240702),
-    .suites = cipher_suites_20240702,
-    .allow_chacha20_boosting = false,
-};
-
 /* Same as 20160411, but with ChaCha20 added as 1st in Preference List */
 struct s2n_cipher_suite *cipher_suites_20190122[] = {
     &s2n_ecdhe_rsa_with_chacha20_poly1305_sha256,
diff --git a/tls/s2n_cipher_preferences.h b/tls/s2n_cipher_preferences.h
index ae15c4f9e30..f4e87af3ca2 100644
--- a/tls/s2n_cipher_preferences.h
+++ b/tls/s2n_cipher_preferences.h
@@ -28,7 +28,6 @@ struct s2n_cipher_preferences {
 };
 
 extern const struct s2n_cipher_preferences cipher_preferences_20240701;
-extern const struct s2n_cipher_preferences cipher_preferences_20240702;
 extern const struct s2n_cipher_preferences cipher_preferences_20230317;
 extern const struct s2n_cipher_preferences cipher_preferences_20240331;
 extern const struct s2n_cipher_preferences cipher_preferences_20140601;
diff --git a/tls/s2n_security_policies.c b/tls/s2n_security_policies.c
index f3b9eafbc31..1738ae52e25 100644
--- a/tls/s2n_security_policies.c
+++ b/tls/s2n_security_policies.c
@@ -37,7 +37,7 @@ const struct s2n_security_policy security_policy_20240701 = {
 /* FIPS default as of 07/01. Supports TLS 1.3 */
 const struct s2n_security_policy security_policy_20240702 = {
     .minimum_protocol_version = S2N_TLS12,
-    .cipher_preferences = &cipher_preferences_20240702,
+    .cipher_preferences = &cipher_preferences_20240701,
     .kem_preferences = &kem_preferences_null,
     .signature_preferences = &s2n_signature_preferences_20240501,
     .certificate_signature_preferences = &s2n_certificate_signature_preferences_20201110,