Drop the preference for 256-bit ciphers with CECPQ2.
I did this because I was tired of explaining Grover's algorithm and
circuit depth, but it never large amounts of sense and it conflates any
measurements of post-quantum impact. If you want to configure a server
with a preference for 256-bit ciphers, that's still completely possible.
Change-Id: I3dc951ec724a713bb4da75c204d1105c62de8d74
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/55929
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
diff --git a/ssl/s3_both.cc b/ssl/s3_both.cc
index cb831f2..4beb322 100644
--- a/ssl/s3_both.cc
+++ b/ssl/s3_both.cc
@@ -664,31 +664,26 @@
// the client.
class CipherScorer {
public:
- CipherScorer(uint16_t group_id)
- : aes_is_fine_(EVP_has_aes_hardware()),
- security_128_is_fine_(group_id != SSL_CURVE_CECPQ2) {}
+ CipherScorer() : aes_is_fine_(EVP_has_aes_hardware()) {}
- typedef std::tuple<bool, bool, bool> Score;
+ typedef std::tuple<bool, bool> Score;
// MinScore returns a |Score| that will compare less than the score of all
// cipher suites.
Score MinScore() const {
- return Score(false, false, false);
+ return Score(false, false);
}
Score Evaluate(const SSL_CIPHER *a) const {
return Score(
// Something is always preferable to nothing.
true,
- // Either 128-bit is fine, or 256-bit is preferred.
- security_128_is_fine_ || a->algorithm_enc != SSL_AES128GCM,
// Either AES is fine, or else ChaCha20 is preferred.
aes_is_fine_ || a->algorithm_enc == SSL_CHACHA20POLY1305);
}
private:
const bool aes_is_fine_;
- const bool security_128_is_fine_;
};
bool ssl_tls13_cipher_meets_policy(uint16_t cipher_id, bool only_fips) {
@@ -715,7 +710,7 @@
}
const SSL_CIPHER *best = nullptr;
- CipherScorer scorer(group_id);
+ CipherScorer scorer;
CipherScorer::Score best_score = scorer.MinScore();
while (CBS_len(&cipher_suites) > 0) {
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index a30dba0..de64a9a 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -15167,95 +15167,6 @@
"-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
},
})
-
- // CECPQ2 prefers 256-bit ciphers but will use AES-128 if there's nothing else.
- testCases = append(testCases, testCase{
- testType: serverTest,
- name: "TLS13-CipherPreference-CECPQ2-AES128Only",
- config: Config{
- MaxVersion: VersionTLS13,
- CipherSuites: []uint16{
- TLS_AES_128_GCM_SHA256,
- },
- },
- flags: []string{
- "-curves", strconv.Itoa(int(CurveCECPQ2)),
- },
- })
-
- // When a 256-bit cipher is offered, even if not in first place, it should be
- // picked.
- testCases = append(testCases, testCase{
- testType: serverTest,
- name: "TLS13-CipherPreference-CECPQ2-AES256Preferred",
- config: Config{
- MaxVersion: VersionTLS13,
- CipherSuites: []uint16{
- TLS_AES_128_GCM_SHA256,
- TLS_AES_256_GCM_SHA384,
- },
- },
- flags: []string{
- "-curves", strconv.Itoa(int(CurveCECPQ2)),
- },
- expectations: connectionExpectations{
- cipher: TLS_AES_256_GCM_SHA384,
- },
- })
- // ... but when CECPQ2 isn't being used, the client's preference controls.
- testCases = append(testCases, testCase{
- testType: serverTest,
- name: "TLS13-CipherPreference-CECPQ2-AES128PreferredOtherwise",
- config: Config{
- MaxVersion: VersionTLS13,
- CipherSuites: []uint16{
- TLS_AES_128_GCM_SHA256,
- TLS_AES_256_GCM_SHA384,
- },
- },
- flags: []string{
- "-curves", strconv.Itoa(int(CurveX25519)),
- },
- expectations: connectionExpectations{
- cipher: TLS_AES_128_GCM_SHA256,
- },
- })
-
- // Test that CECPQ2 continues to honor AES vs ChaCha20 logic.
- testCases = append(testCases, testCase{
- testType: serverTest,
- name: "TLS13-CipherPreference-CECPQ2-AES128-ChaCha20-AES256",
- config: Config{
- MaxVersion: VersionTLS13,
- CipherSuites: []uint16{
- TLS_AES_128_GCM_SHA256,
- TLS_CHACHA20_POLY1305_SHA256,
- TLS_AES_256_GCM_SHA384,
- },
- },
- flags: []string{
- "-curves", strconv.Itoa(int(CurveCECPQ2)),
- "-expect-cipher-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
- "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
- },
- })
- testCases = append(testCases, testCase{
- testType: serverTest,
- name: "TLS13-CipherPreference-CECPQ2-AES128-AES256-ChaCha20",
- config: Config{
- MaxVersion: VersionTLS13,
- CipherSuites: []uint16{
- TLS_AES_128_GCM_SHA256,
- TLS_AES_256_GCM_SHA384,
- TLS_CHACHA20_POLY1305_SHA256,
- },
- },
- flags: []string{
- "-curves", strconv.Itoa(int(CurveCECPQ2)),
- "-expect-cipher-aes", strconv.Itoa(int(TLS_AES_256_GCM_SHA384)),
- "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
- },
- })
}
func addPeekTests() {