Remove PQ TLS 1.2 Support

bin/policy.c

@@ -102,10 +102,6 @@ int main(int argc, char *const *argv)
     if (policy->kem_preferences && policy->kem_preferences != &kem_preferences_null) {
         printf("pq:\n");
         printf("- revision: %i\n", policy->kem_preferences->tls13_pq_hybrid_draft_revision);
-        printf("- kems:\n");
-        for (size_t i = 0; i < policy->kem_preferences->kem_count; i++) {
-            printf("-- %s\n", policy->kem_preferences->kems[i]->name);
-        }
         printf("- kem groups:\n");
         for (size_t i = 0; i < policy->kem_preferences->tls13_kem_group_count; i++) {
             printf("-- %s\n", policy->kem_preferences->tls13_kem_groups[i]->name);

tests/cbmc/sources/make_common_datastructures.c

@@ -599,9 +599,7 @@ void cbmc_populate_s2n_kex_parameters(struct s2n_kex_parameters *s2n_kex_paramet
 	 * If required, these initializations should be done in the proof harness.
 	 */
 	cbmc_populate_s2n_kem_group_params(&(s2n_kex_parameters->server_kem_group_params));
-	cbmc_populate_s2n_kem_params(&(s2n_kex_parameters->kem_params));
 	cbmc_populate_s2n_blob(&(s2n_kex_parameters->client_key_exchange_message));
-	cbmc_populate_s2n_blob(&(s2n_kex_parameters->client_pq_kem_extension));
 }
 
 void cbmc_populate_s2n_crypto_parameters(struct s2n_crypto_parameters *s2n_crypto_parameters)

tests/fuzz/s2n_client_key_recv_fuzz_test.c

@@ -116,15 +116,11 @@ int s2n_fuzz_test(const uint8_t *buf, size_t len)
     POSIX_GUARD(s2n_connection_get_ecc_preferences(server_conn, &ecc_preferences));
     POSIX_ENSURE_REF(ecc_preferences);
 
-    if (server_conn->secure->cipher_suite->key_exchange_alg->client_key_recv == s2n_ecdhe_client_key_recv || server_conn->secure->cipher_suite->key_exchange_alg->client_key_recv == s2n_hybrid_client_key_recv) {
+    if (server_conn->secure->cipher_suite->key_exchange_alg->client_key_recv == s2n_ecdhe_client_key_recv) {
         server_conn->kex_params.server_ecc_evp_params.negotiated_curve = ecc_preferences->ecc_curves[0];
         s2n_ecc_evp_generate_ephemeral_key(&server_conn->kex_params.server_ecc_evp_params);
     }
 
-    if (server_conn->secure->cipher_suite->key_exchange_alg->client_key_recv == s2n_kem_client_key_recv || server_conn->secure->cipher_suite->key_exchange_alg->client_key_recv == s2n_hybrid_client_key_recv) {
-        server_conn->kex_params.kem_params.kem = &s2n_kyber_512_r3;
-    }
-
     /* Run Test
      * Do not use GUARD macro here since the connection memory hasn't been freed.
      */

tests/unit/s2n_choose_supported_group_test.c

@@ -142,8 +142,6 @@ int main()
     /* Test for PQ */
     {
         const struct s2n_kem_preferences test_kem_prefs = {
-            .kem_count = 0,
-            .kems = NULL,
             .tls13_kem_group_count = kem_preferences_all.tls13_kem_group_count,
             .tls13_kem_groups = kem_preferences_all.tls13_kem_groups,
         };

tests/unit/s2n_cipher_suite_match_test.c

@@ -195,7 +195,6 @@ int main(int argc, char **argv)
             TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
             TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
             TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
-            TLS_ECDHE_KYBER_RSA_WITH_AES_256_GCM_SHA384,
         };
         const uint8_t cipher_count = sizeof(wire_ciphers) / S2N_TLS_CIPHER_SUITE_LEN;
 
@@ -325,7 +324,6 @@ int main(int argc, char **argv)
         const struct s2n_ecc_preferences *ecc_pref = NULL;
         EXPECT_SUCCESS(s2n_connection_get_ecc_preferences(conn, &ecc_pref));
         EXPECT_NOT_NULL(ecc_pref);
-
         /* Assume default for negotiated curve. */
         /* Shouldn't be necessary unless the test fails, but we want the failure to be obvious. */
         conn->kex_params.server_ecc_evp_params.negotiated_curve = ecc_pref->ecc_curves[0];
@@ -336,64 +334,6 @@ int main(int argc, char **argv)
         EXPECT_EQUAL(conn->secure->cipher_suite, expected_rsa_wire_choice);
         EXPECT_SUCCESS(s2n_connection_wipe(conn));
 
-        /* Test that PQ cipher suites are marked available/unavailable appropriately in s2n_cipher_suites_init() */
-        {
-            const struct s2n_cipher_suite *pq_suites[] = {
-                &s2n_ecdhe_kyber_rsa_with_aes_256_gcm_sha384,
-            };
-
-            for (size_t i = 0; i < s2n_array_len(pq_suites); i++) {
-                if (s2n_pq_is_enabled()) {
-                    EXPECT_EQUAL(pq_suites[i]->available, 1);
-                    EXPECT_NOT_NULL(pq_suites[i]->record_alg);
-                } else {
-                    EXPECT_EQUAL(pq_suites[i]->available, 0);
-                    EXPECT_NULL(pq_suites[i]->record_alg);
-                }
-            }
-        };
-
-        /* Test that clients that support PQ ciphers can negotiate them. */
-        {
-            uint8_t client_extensions_data[] = {
-                0xFE, 0x01,                                /* PQ KEM extension ID */
-                0x00, 0x04,                                /* Total extension length in bytes */
-                0x00, 0x02,                                /* Length of the supported parameters list in bytes */
-                0x00, TLS_PQ_KEM_EXTENSION_ID_KYBER_512_R3 /* Kyber-512-Round3*/
-            };
-            int client_extensions_len = sizeof(client_extensions_data);
-            EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(conn, "PQ-TLS-1-0-2021-05-24"));
-            conn->actual_protocol_version = S2N_TLS12;
-            conn->kex_params.server_ecc_evp_params.negotiated_curve = ecc_pref->ecc_curves[0];
-            conn->kex_params.client_pq_kem_extension.data = client_extensions_data;
-            conn->kex_params.client_pq_kem_extension.size = client_extensions_len;
-            EXPECT_SUCCESS(s2n_set_cipher_as_tls_server(conn, wire_ciphers, cipher_count));
-            const struct s2n_cipher_suite *kyber_cipher = &s2n_ecdhe_kyber_rsa_with_aes_256_gcm_sha384;
-            const struct s2n_cipher_suite *ecc_cipher = &s2n_ecdhe_rsa_with_aes_256_gcm_sha384;
-            if (s2n_pq_is_enabled()) {
-                EXPECT_EQUAL(conn->secure->cipher_suite, kyber_cipher);
-            } else {
-                EXPECT_EQUAL(conn->secure->cipher_suite, ecc_cipher);
-            }
-
-            EXPECT_SUCCESS(s2n_connection_wipe(conn));
-
-            /* Test cipher preferences that use PQ cipher suites that require TLS 1.2 fall back to classic ciphers if a client
-             * only supports TLS 1.1 or below, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA is the first cipher suite that supports
-             * TLS 1.1 in KMS-PQ-TLS-1-0-2019-06 */
-            for (int i = S2N_TLS10; i <= S2N_TLS11; i++) {
-                const struct s2n_cipher_suite *expected_classic_wire_choice = &s2n_ecdhe_rsa_with_aes_256_cbc_sha;
-                EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(conn, "KMS-PQ-TLS-1-0-2019-06"));
-                conn->actual_protocol_version = i;
-                conn->kex_params.server_ecc_evp_params.negotiated_curve = ecc_pref->ecc_curves[0];
-                conn->kex_params.client_pq_kem_extension.data = client_extensions_data;
-                conn->kex_params.client_pq_kem_extension.size = client_extensions_len;
-                EXPECT_SUCCESS(s2n_set_cipher_as_tls_server(conn, wire_ciphers, cipher_count));
-                EXPECT_EQUAL(conn->secure->cipher_suite, expected_classic_wire_choice);
-                EXPECT_SUCCESS(s2n_connection_wipe(conn));
-            }
-        };
-
         /* Clean+free to setup for ECDSA tests */
         EXPECT_SUCCESS(s2n_config_free(server_config));
 
@@ -404,7 +344,6 @@ int main(int argc, char **argv)
 
         EXPECT_SUCCESS(s2n_connection_get_ecc_preferences(conn, &ecc_pref));
         EXPECT_NOT_NULL(ecc_pref);
-
         /* TEST ECDSA */
         EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(conn, "test_all_ecdsa"));
         const struct s2n_cipher_suite *expected_ecdsa_wire_choice = &s2n_ecdhe_ecdsa_with_aes_128_cbc_sha256;
@@ -569,7 +508,6 @@ int main(int argc, char **argv)
 
         /* Override auto-chosen defaults with only ECDSA cert default. RSA still loaded, but not default. */
         EXPECT_SUCCESS(s2n_config_set_cert_chain_and_key_defaults(server_config, &ecdsa_cert, 1));
-
         /* Client sends RSA and ECDSA ciphers, server prioritizes RSA, ECDSA + RSA cert is configured,
          * only ECDSA is default. Expect default ECDSA used instead of previous test that expects RSA for this case. */
         {
@@ -634,7 +572,6 @@ int main(int argc, char **argv)
             tls12_cipher_suite->iana_value[0], tls12_cipher_suite->iana_value[1]
         };
         const uint8_t cipher_count_tls13 = sizeof(wire_ciphers_with_tls13) / S2N_TLS_CIPHER_SUITE_LEN;
-
         /* Client sends TLS1.3 cipher suites, but server does not support TLS1.3 */
         {
             EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(conn, "test_all"));
@@ -668,7 +605,6 @@ int main(int argc, char **argv)
                 EXPECT_SUCCESS(s2n_connection_wipe(conn));
             }
         }
-
         /* Check wire's cipher suites with preferred tls12 ordering does not affect tls13 selection */
         {
             uint8_t wire_ciphers2[] = {
@@ -835,7 +771,7 @@ int main(int argc, char **argv)
         {
             EXPECT_SUCCESS(s2n_enable_tls13_in_test());
             uint8_t invalid_cipher_pref[] = {
-                TLS_ECDHE_KYBER_RSA_WITH_AES_256_GCM_SHA384
+                TLS_NULL_WITH_NULL_NULL
             };
 
             const uint8_t invalid_cipher_count = sizeof(invalid_cipher_pref) / S2N_TLS_CIPHER_SUITE_LEN;
@@ -846,7 +782,6 @@ int main(int argc, char **argv)
             EXPECT_SUCCESS(s2n_connection_wipe(conn));
             EXPECT_SUCCESS(s2n_disable_tls13_in_test());
         };
-
         /* Client sends cipher that requires DH params */
         {
             DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(),