Remove the DHE-RSA key exchange

[gilles-peskine-arm]

Remove the DHE-RSA key exchange.

This completes the removal of finite-field Diffie-Hellman from TLS 1.2. Note that it remains available in TLS 1.3.

• Prerequisites:
  • https://github.com/Mbed-TLS/mbedtls/issues/9684
  • Test cases: https://github.com/Mbed-TLS/mbedtls/issues/9688
  • Together with https://github.com/Mbed-TLS/mbedtls/issues/9682, we're removing the ability to do a non-PSK key exchange that doesn't involve ECC. This may need a rethink of how we test handshake attempts when the other side doesn't like the elliptic_curves or ec_point_formats extension.
• Config option: MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
• Key exchange type: MBEDTLS_KEY_EXCHANGE_DHE_RSA
• Affected cipher suite macros regex: MBEDTLS_TLS_DHE_RSA_WITH_\w+
• Full list of cipher suite names:

  TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256
  TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
  TLS-DHE-RSA-WITH-AES-256-CCM
  TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
  TLS-DHE-RSA-WITH-AES-256-CBC-SHA
  TLS-DHE-RSA-WITH-AES-256-CCM-8
  TLS-DHE-RSA-WITH-CAMELLIA-256-GCM-SHA384
  TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256
  TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA
  TLS-DHE-RSA-WITH-ARIA-256-GCM-SHA384
  TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384
  TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
  TLS-DHE-RSA-WITH-AES-128-CCM
  TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
  TLS-DHE-RSA-WITH-AES-128-CBC-SHA
  TLS-DHE-RSA-WITH-AES-128-CCM-8
  TLS-DHE-RSA-WITH-CAMELLIA-128-GCM-SHA256
  TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256
  TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
  TLS-DHE-RSA-WITH-ARIA-128-GCM-SHA256
  TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256

• Follow-up: https://github.com/Mbed-TLS/mbedtls/issues/9686

Follow the steps in https://github.com/Mbed-TLS/mbedtls/issues/9681 unless there is a good reason to deviate.

[mpg]

we're removing the ability to do a non-PSK key exchange that involves ECC

I think you mean that doesn't involve ECC?