Commit 7f02881e authored by Adam Langley's avatar Adam Langley Committed by CQ bot account: [email protected]
Browse files

Drop CECPQ2b code.

The experiment which motivated CECPQ2b has concluded (although the
results haven't been published yet) and the SIKE code is causing some
issues for gRPC in gprc/grpc#20100. Also, this is code size that takes
up space in Android etc.

Change-Id: I43b0b8c420f236c0fe9b40bf2517d2fde98495d5
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/38384

Reviewed-by: default avatarDavid Benjamin <[email protected]>
Commit-Queue: David Benjamin <[email protected]>
parent 7de9498a
......@@ -181,29 +181,6 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
The code in third_party/sike also carries the MIT license:
Copyright (c) Microsoft Corporation. All rights reserved.
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE
Licenses for support code
-------------------------
......
......@@ -115,7 +115,6 @@ if(${ARCH} STREQUAL "aarch64")
chacha/chacha-armv8.${ASM_EXT}
test/trampoline-armv8.${ASM_EXT}
third_party/sike/asm/fp-armv8.${ASM_EXT}
)
endif()
......@@ -137,7 +136,6 @@ if(${ARCH} STREQUAL "x86_64")
cipher_extra/chacha20_poly1305_x86_64.${ASM_EXT}
hrss/asm/poly_rq_mul.S
test/trampoline-x86_64.${ASM_EXT}
third_party/sike/asm/fp-x86_64.${ASM_EXT}
)
endif()
......@@ -147,8 +145,6 @@ perlasm(chacha/chacha-x86.${ASM_EXT} chacha/asm/chacha-x86.pl)
perlasm(chacha/chacha-x86_64.${ASM_EXT} chacha/asm/chacha-x86_64.pl)
perlasm(cipher_extra/aes128gcmsiv-x86_64.${ASM_EXT} cipher_extra/asm/aes128gcmsiv-x86_64.pl)
perlasm(cipher_extra/chacha20_poly1305_x86_64.${ASM_EXT} cipher_extra/asm/chacha20_poly1305_x86_64.pl)
perlasm(third_party/sike/asm/fp-x86_64.${ASM_EXT} ../third_party/sike/asm/fp-x86_64.pl)
perlasm(third_party/sike/asm/fp-armv8.${ASM_EXT} ../third_party/sike/asm/fp-armv8.pl)
perlasm(test/trampoline-armv4.${ASM_EXT} test/asm/trampoline-armv4.pl)
perlasm(test/trampoline-armv8.${ASM_EXT} test/asm/trampoline-armv8.pl)
perlasm(test/trampoline-x86.${ASM_EXT} test/asm/trampoline-x86.pl)
......@@ -412,11 +408,6 @@ add_library(
x509v3/v3_sxnet.c
x509v3/v3_utl.c
../third_party/fiat/curve25519.c
../third_party/sike/fpx.c
../third_party/sike/isogeny.c
../third_party/sike/curve_params.c
../third_party/sike/sike.c
../third_party/sike/asm/fp_generic.c
$<TARGET_OBJECTS:fipsmodule>
......@@ -537,7 +528,6 @@ add_executable(
x509/x509_time_test.cc
x509v3/tab_test.cc
x509v3/v3name_test.cc
../third_party/sike/sike_test.cc
$<TARGET_OBJECTS:crypto_test_data>
$<TARGET_OBJECTS:boringssl_gtest_main>
......
......@@ -57,7 +57,7 @@
/* This file is generated by crypto/obj/objects.go. */
#define NUM_NID 961
#define NUM_NID 960
static const uint8_t kObjectData[] = {
/* NID_rsadsi */
......@@ -8756,7 +8756,6 @@ static const ASN1_OBJECT kObjects[NUM_NID] = {
{"KxANY", "kx-any", NID_kx_any, 0, NULL, 0},
{"AuthANY", "auth-any", NID_auth_any, 0, NULL, 0},
{"CECPQ2", "CECPQ2", NID_CECPQ2, 0, NULL, 0},
{"CECPQ2b", "CECPQ2b", NID_CECPQ2b, 0, NULL, 0},
};
static const unsigned kNIDsInShortNameOrder[] = {
......@@ -8819,7 +8818,6 @@ static const unsigned kNIDsInShortNameOrder[] = {
109 /* CAST5-ECB */,
111 /* CAST5-OFB */,
959 /* CECPQ2 */,
960 /* CECPQ2b */,
894 /* CMAC */,
13 /* CN */,
141 /* CRLReason */,
......@@ -9725,7 +9723,6 @@ static const unsigned kNIDsInLongNameOrder[] = {
179 /* CA Issuers */,
785 /* CA Repository */,
959 /* CECPQ2 */,
960 /* CECPQ2b */,
131 /* Code Signing */,
783 /* Diffie-Hellman based MAC */,
382 /* Directory */,
......
......@@ -948,4 +948,3 @@ auth_psk 956
kx_any 957
auth_any 958
CECPQ2 959
CECPQ2b 960
......@@ -1337,9 +1337,6 @@ secg-scheme 14 3 : dhSinglePass-cofactorDH-sha512kdf-scheme
# NID for CECPQ2 (no corresponding OID).
: CECPQ2
# NID for CECPQ2 (no corresponding OID).
: CECPQ2b
# See RFC 8410.
1 3 101 112 : ED25519
......
......@@ -4237,9 +4237,6 @@ extern "C" {
#define SN_CECPQ2 "CECPQ2"
#define NID_CECPQ2 959
#define SN_CECPQ2b "CECPQ2b"
#define NID_CECPQ2b 960
#if defined(__cplusplus)
} /* extern C */
......
......@@ -2231,7 +2231,6 @@ OPENSSL_EXPORT int SSL_set1_curves_list(SSL *ssl, const char *curves);
#define SSL_CURVE_SECP521R1 25
#define SSL_CURVE_X25519 29
#define SSL_CURVE_CECPQ2 16696
#define SSL_CURVE_CECPQ2b 65074
// SSL_get_curve_id returns the ID of the curve used by |ssl|'s most recently
// completed handshake or 0 if not applicable.
......
......@@ -660,8 +660,7 @@ class CipherScorer {
public:
CipherScorer(uint16_t group_id)
: aes_is_fine_(EVP_has_aes_hardware()),
security_128_is_fine_(group_id != SSL_CURVE_CECPQ2 &&
group_id != SSL_CURVE_CECPQ2b) {}
security_128_is_fine_(group_id != SSL_CURVE_CECPQ2) {}
typedef std::tuple<bool, bool, bool> Score;
......
......@@ -31,7 +31,6 @@
#include "internal.h"
#include "../crypto/internal.h"
#include "../third_party/sike/sike.h"
BSSL_NAMESPACE_BEGIN
......@@ -300,87 +299,6 @@ class CECPQ2KeyShare : public SSLKeyShare {
HRSS_private_key hrss_private_key_;
};
class CECPQ2bKeyShare : public SSLKeyShare {
public:
uint16_t GroupID() const override { return SSL_CURVE_CECPQ2b; }
bool Offer(CBB *out) override {
uint8_t public_x25519[32] = {0};
X25519_keypair(public_x25519, private_x25519_);
if (!SIKE_keypair(private_sike_, public_sike_)) {
return false;
}
return CBB_add_bytes(out, public_x25519, sizeof(public_x25519)) &&
CBB_add_bytes(out, public_sike_, sizeof(public_sike_));
}
bool Accept(CBB *out_public_key, Array<uint8_t> *out_secret,
uint8_t *out_alert, Span<const uint8_t> peer_key) override {
uint8_t public_x25519[32];
uint8_t private_x25519[32];
uint8_t sike_ciphertext[SIKE_CT_BYTESZ] = {0};
*out_alert = SSL_AD_INTERNAL_ERROR;
if (peer_key.size() != sizeof(public_x25519) + SIKE_PUB_BYTESZ) {
*out_alert = SSL_AD_DECODE_ERROR;
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ECPOINT);
return false;
}
Array<uint8_t> secret;
if (!secret.Init(sizeof(private_x25519_) + SIKE_SS_BYTESZ)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
return false;
}
X25519_keypair(public_x25519, private_x25519);
if (!X25519(secret.data(), private_x25519, peer_key.data())) {
*out_alert = SSL_AD_DECODE_ERROR;
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ECPOINT);
return false;
}
SIKE_encaps(secret.data() + sizeof(private_x25519_), sike_ciphertext,
peer_key.data() + sizeof(public_x25519));
*out_secret = std::move(secret);
return CBB_add_bytes(out_public_key, public_x25519,
sizeof(public_x25519)) &&
CBB_add_bytes(out_public_key, sike_ciphertext,
sizeof(sike_ciphertext));
}
bool Finish(Array<uint8_t> *out_secret, uint8_t *out_alert,
Span<const uint8_t> peer_key) override {
*out_alert = SSL_AD_INTERNAL_ERROR;
Array<uint8_t> secret;
if (!secret.Init(sizeof(private_x25519_) + SIKE_SS_BYTESZ)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
return false;
}
if (peer_key.size() != 32 + SIKE_CT_BYTESZ ||
!X25519(secret.data(), private_x25519_, peer_key.data())) {
*out_alert = SSL_AD_DECODE_ERROR;
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ECPOINT);
return false;
}
SIKE_decaps(secret.data() + sizeof(private_x25519_), peer_key.data() + 32,
public_sike_, private_sike_);
*out_secret = std::move(secret);
return true;
}
private:
uint8_t private_x25519_[32];
uint8_t private_sike_[SIKE_PRV_BYTESZ];
uint8_t public_sike_[SIKE_PUB_BYTESZ];
};
CONSTEXPR_ARRAY NamedGroup kNamedGroups[] = {
{NID_secp224r1, SSL_CURVE_SECP224R1, "P-224", "secp224r1"},
{NID_X9_62_prime256v1, SSL_CURVE_SECP256R1, "P-256", "prime256v1"},
......@@ -388,7 +306,6 @@ CONSTEXPR_ARRAY NamedGroup kNamedGroups[] = {
{NID_secp521r1, SSL_CURVE_SECP521R1, "P-521", "secp521r1"},
{NID_X25519, SSL_CURVE_X25519, "X25519", "x25519"},
{NID_CECPQ2, SSL_CURVE_CECPQ2, "CECPQ2", "CECPQ2"},
{NID_CECPQ2b, SSL_CURVE_CECPQ2b, "CECPQ2b", "CECPQ2b"},
};
} // namespace
......@@ -415,8 +332,6 @@ UniquePtr<SSLKeyShare> SSLKeyShare::Create(uint16_t group_id) {
return UniquePtr<SSLKeyShare>(New<X25519KeyShare>());
case SSL_CURVE_CECPQ2:
return UniquePtr<SSLKeyShare>(New<CECPQ2KeyShare>());
case SSL_CURVE_CECPQ2b:
return UniquePtr<SSLKeyShare>(New<CECPQ2bKeyShare>());
default:
return nullptr;
}
......
......@@ -200,7 +200,7 @@ static bool tls1_check_duplicate_extensions(const CBS *cbs) {
}
static bool is_post_quantum_group(uint16_t id) {
return id == SSL_CURVE_CECPQ2 || id == SSL_CURVE_CECPQ2b;
return id == SSL_CURVE_CECPQ2;
}
bool ssl_client_hello_init(const SSL *ssl, SSL_CLIENT_HELLO *out,
......
......@@ -151,7 +151,6 @@ const (
CurveP521 CurveID = 25
CurveX25519 CurveID = 29
CurveCECPQ2 CurveID = 16696
CurveCECPQ2b CurveID = 65074
)
// TLS Elliptic Curve Point Formats
......@@ -1732,7 +1731,7 @@ func (c *Config) maxVersion(isDTLS bool) uint16 {
return ret
}
var defaultCurvePreferences = []CurveID{CurveCECPQ2b, CurveCECPQ2, CurveX25519, CurveP256, CurveP384, CurveP521}
var defaultCurvePreferences = []CurveID{CurveCECPQ2, CurveX25519, CurveP256, CurveP384, CurveP521}
func (c *Config) curvePreferences() []CurveID {
if c == nil || len(c.CurvePreferences) == 0 {
......
......@@ -210,7 +210,7 @@ func (hs *serverHandshakeState) readClientHello() error {
if config.Bugs.FailIfCECPQ2Offered {
for _, offeredCurve := range hs.clientHello.supportedCurves {
if isPqGroup(offeredCurve) {
return errors.New("tls: CECPQ2 or CECPQ2b was offered")
return errors.New("tls: CECPQ2 was offered")
}
}
}
......@@ -1227,7 +1227,7 @@ func (hs *serverHandshakeState) processClientHello() (isResume bool, err error)
Curves:
for _, curve := range hs.clientHello.supportedCurves {
if isPqGroup(curve) && c.vers < VersionTLS13 {
// CECPQ2 and CECPQ2b is TLS 1.3-only.
// CECPQ2 is TLS 1.3-only.
continue
}
......
......@@ -19,7 +19,6 @@ import (
"boringssl.googlesource.com/boringssl/ssl/test/runner/curve25519"
"boringssl.googlesource.com/boringssl/ssl/test/runner/hrss"
"boringssl.googlesource.com/boringssl/ssl/test/runner/sike"
)
type keyType int
......@@ -434,98 +433,6 @@ func (e *cecpq2Curve) finish(peerKey []byte) (preMasterSecret []byte, err error)
return preMasterSecret, nil
}
// cecpq2BCurve implements CECPQ2b, which is SIKE combined with X25519.
type cecpq2BCurve struct {
// Both public key and shared secret size
x25519PrivateKey [32]byte
sikePrivateKey *sike.PrivateKey
}
func (e *cecpq2BCurve) offer(rand io.Reader) (publicKey []byte, err error) {
if _, err = io.ReadFull(rand, e.x25519PrivateKey[:]); err != nil {
return nil, err
}
var x25519Public [32]byte
curve25519.ScalarBaseMult(&x25519Public, &e.x25519PrivateKey)
e.sikePrivateKey = sike.NewPrivateKey(sike.KeyVariant_SIKE)
if err = e.sikePrivateKey.Generate(rand); err != nil {
return nil, err
}
sikePublic := e.sikePrivateKey.GeneratePublicKey().Export()
var ret []byte
ret = append(ret, x25519Public[:]...)
ret = append(ret, sikePublic...)
return ret, nil
}
func (e *cecpq2BCurve) accept(rand io.Reader, peerKey []byte) (publicKey []byte, preMasterSecret []byte, err error) {
if len(peerKey) != 32+sike.Params.PublicKeySize {
return nil, nil, errors.New("tls: bad length CECPQ2b offer")
}
if _, err = io.ReadFull(rand, e.x25519PrivateKey[:]); err != nil {
return nil, nil, err
}
var x25519Shared, x25519PeerKey, x25519Public [32]byte
copy(x25519PeerKey[:], peerKey)
curve25519.ScalarBaseMult(&x25519Public, &e.x25519PrivateKey)
curve25519.ScalarMult(&x25519Shared, &e.x25519PrivateKey, &x25519PeerKey)
// Per RFC 7748, reject the all-zero value in constant time.
var zeros [32]byte
if subtle.ConstantTimeCompare(zeros[:], x25519Shared[:]) == 1 {
return nil, nil, errors.New("tls: X25519 value with wrong order")
}
var sikePubKey = sike.NewPublicKey(sike.KeyVariant_SIKE)
if err = sikePubKey.Import(peerKey[32:]); err != nil {
// should never happen as size was already checked
return nil, nil, errors.New("tls: implementation error")
}
sikeCiphertext, sikeShared, err := sike.Encapsulate(rand, sikePubKey)
if err != nil {
return nil, nil, err
}
publicKey = append(publicKey, x25519Public[:]...)
publicKey = append(publicKey, sikeCiphertext...)
preMasterSecret = append(preMasterSecret, x25519Shared[:]...)
preMasterSecret = append(preMasterSecret, sikeShared...)
return publicKey, preMasterSecret, nil
}
func (e *cecpq2BCurve) finish(peerKey []byte) (preMasterSecret []byte, err error) {
if len(peerKey) != 32+(sike.Params.PublicKeySize+sike.Params.MsgLen) {
return nil, errors.New("tls: bad length CECPQ2b reply")
}
var x25519Shared, x25519PeerKey [32]byte
copy(x25519PeerKey[:], peerKey)
curve25519.ScalarMult(&x25519Shared, &e.x25519PrivateKey, &x25519PeerKey)
// Per RFC 7748, reject the all-zero value in constant time.
var zeros [32]byte
if subtle.ConstantTimeCompare(zeros[:], x25519Shared[:]) == 1 {
return nil, errors.New("tls: X25519 value with wrong order")
}
var sikePubKey = e.sikePrivateKey.GeneratePublicKey()
sikeShared, err := sike.Decapsulate(e.sikePrivateKey, sikePubKey, peerKey[32:])
if err != nil {
return nil, errors.New("tls: invalid SIKE ciphertext")
}
preMasterSecret = append(preMasterSecret, x25519Shared[:]...)
preMasterSecret = append(preMasterSecret, sikeShared...)
return preMasterSecret, nil
}
func curveForCurveID(id CurveID, config *Config) (ecdhCurve, bool) {
switch id {
case CurveP224:
......@@ -540,8 +447,6 @@ func curveForCurveID(id CurveID, config *Config) (ecdhCurve, bool) {
return &x25519ECDHCurve{setHighBit: config.Bugs.SetX25519HighBit}, true
case CurveCECPQ2:
return &cecpq2Curve{}, true
case CurveCECPQ2b:
return &cecpq2BCurve{}, true
default:
return nil, false
}
......@@ -690,7 +595,7 @@ func (ka *ecdheKeyAgreement) generateServerKeyExchange(config *Config, cert *Cer
NextCandidate:
for _, candidate := range preferredCurves {
if isPqGroup(candidate) && version < VersionTLS13 {
// CECPQ2 and CECPQ2b is TLS 1.3-only.
// CECPQ2 is TLS 1.3-only.
continue
}
......
......@@ -10449,13 +10449,12 @@ var testCurves = []struct {
{"P-521", CurveP521},
{"X25519", CurveX25519},
{"CECPQ2", CurveCECPQ2},
{"CECPQ2b", CurveCECPQ2b},
}
const bogusCurve = 0x1234
func isPqGroup(r CurveID) bool {
return r == CurveCECPQ2 || r == CurveCECPQ2b
return r == CurveCECPQ2
}
func addCurveTests() {
......@@ -10928,21 +10927,6 @@ func addCurveTests() {
},
})
// CECPQ2b should not be offered by a TLS < 1.3 client.
testCases = append(testCases, testCase{
name: "CECPQ2bNotInTLS12",
config: Config{
Bugs: ProtocolBugs{
FailIfCECPQ2Offered: true,
},
},
flags: []string{
"-max-version", strconv.Itoa(VersionTLS12),
"-curves", strconv.Itoa(int(CurveCECPQ2b)),
"-curves", strconv.Itoa(int(CurveX25519)),
},
})
// CECPQ2 should not crash a TLS < 1.3 client if the server mistakenly
// selects it.
testCases = append(testCases, testCase{
......@@ -10961,24 +10945,6 @@ func addCurveTests() {
expectedError: ":WRONG_CURVE:",
})
// CECPQ2b should not crash a TLS < 1.3 client if the server mistakenly
// selects it.
testCases = append(testCases, testCase{
name: "CECPQ2bNotAcceptedByTLS12Client",
config: Config{
Bugs: ProtocolBugs{
SendCurve: CurveCECPQ2b,
},
},
flags: []string{
"-max-version", strconv.Itoa(VersionTLS12),
"-curves", strconv.Itoa(int(CurveCECPQ2b)),
"-curves", strconv.Itoa(int(CurveX25519)),
},
shouldFail: true,
expectedError: ":WRONG_CURVE:",
})
// CECPQ2 should not be offered by default as a client.
testCases = append(testCases, testCase{
name: "CECPQ2NotEnabledByDefaultInClients",
......@@ -10990,17 +10956,6 @@ func addCurveTests() {
},
})
// CECPQ2b should not be offered by default as a client.
testCases = append(testCases, testCase{
name: "CECPQ2bNotEnabledByDefaultInClients",
config: Config{
MinVersion: VersionTLS13,
Bugs: ProtocolBugs{
FailIfCECPQ2Offered: true,
},
},
})
// If CECPQ2 is offered, both X25519 and CECPQ2 should have a key-share.
testCases = append(testCases, testCase{
name: "NotJustCECPQ2KeyShare",
......@@ -11033,38 +10988,6 @@ func addCurveTests() {
},
})
// If CECPQ2b is offered, both X25519 and CECPQ2b should have a key-share.
testCases = append(testCases, testCase{
name: "NotJustCECPQ2bKeyShare",
config: Config{
MinVersion: VersionTLS13,
Bugs: ProtocolBugs{
ExpectedKeyShares: []CurveID{CurveCECPQ2b, CurveX25519},
},
},
flags: []string{
"-curves", strconv.Itoa(int(CurveCECPQ2b)),
"-curves", strconv.Itoa(int(CurveX25519)),
"-expect-curve-id", strconv.Itoa(int(CurveCECPQ2b)),
},
})
// ... but only if CECPQ2b is listed first.
testCases = append(testCases, testCase{
name: "CECPQ2bKeyShareNotIncludedSecond",
config: Config{
MinVersion: VersionTLS13,
Bugs: ProtocolBugs{
ExpectedKeyShares: []CurveID{CurveX25519},
},
},
flags: []string{
"-curves", strconv.Itoa(int(CurveX25519)),
"-curves", strconv.Itoa(int(CurveCECPQ2b)),
"-expect-curve-id", strconv.Itoa(int(CurveX25519)),
},
})
// If CECPQ2 is the only configured curve, the key share is sent.
testCases = append(testCases, testCase{
name: "JustConfiguringCECPQ2Works",
......@@ -11080,21 +11003,6 @@ func addCurveTests() {
},
})
// If CECPQ2b is the only configured curve, the key share is sent.
testCases = append(testCases, testCase{
name: "JustConfiguringCECPQ2bWorks",
config: Config{
MinVersion: VersionTLS13,
Bugs: ProtocolBugs{
ExpectedKeyShares: []CurveID{CurveCECPQ2b},
},
},
flags: []string{
"-curves", strconv.Itoa(int(CurveCECPQ2b)),
"-expect-curve-id", strconv.Itoa(int(CurveCECPQ2b)),
},
})
// As a server, CECPQ2 is not yet supported by default.
testCases = append(testCases, testCase{
testType: serverTest,
......@@ -11109,21 +11017,6 @@ func addCurveTests() {
"-expect-curve-id", strconv.Itoa(int(CurveX25519)),
},
})
// As a server, CECPQ2b is not yet supported by default.
testCases = append(testCases, testCase{
testType: serverTest,
name: "CECPQ2bNotEnabledByDefaultForAServer",
config: Config{
MinVersion: VersionTLS13,
CurvePreferences: []CurveID{CurveCECPQ2b, CurveX25519},
DefaultCurves: []CurveID{CurveCECPQ2b},
},
flags: []string{
"-server-preference",
"-expect-curve-id", strconv.Itoa(int(CurveX25519)),
},
})
}
func addTLS13RecordTests() {
......@@ -14049,21 +13942,6 @@ func addTLS13CipherPreferenceTests() {
},
})
// CECPQ2b prefers 256-bit ciphers but will use AES-128 if there's nothing else.
testCases = append(testCases, testCase{
testType: serverTest,
name: "TLS13-CipherPreference-CECPQ2b-AES128Only",
config: Config{
MaxVersion: VersionTLS13,
CipherSuites: []uint16{
TLS_AES_128_GCM_SHA256,
},
},
flags: []string{
"-curves", strconv.Itoa(int(CurveCECPQ2b)),
},
})
// When a 256-bit cipher is offered, even if not in first place, it should be
// picked.
testCases = append(testCases, testCase{
......@@ -14098,40 +13976,6 @@ func addTLS13CipherPreferenceTests() {
expectedCipher: TLS_AES_128_GCM_SHA256,
})