//     property a cipher suite can have is forward secrecy. We don't
//     implement FFDHE, so that means ECDHE.
//
//   - AEADs come before CBC ciphers
//
//     Even with Lucky13 countermeasures, MAC-then-Encrypt CBC cipher suites
//     are fundamentally fragile, and suffered from an endless sequence of
//     padding oracle attacks. See https://eprint.iacr.org/2015/1129,

        where:
        encryptionTransformation | source
        "AES/ECB/PKCS5PADDING"   | EncryptionKind.KEYSTORE
        "AES/CBC/PKCS5PADDING"   | EncryptionKind.KEYSTORE
        "AES/ECB/PKCS5PADDING"   | EncryptionKind.ENV_VAR
        "AES/CBC/PKCS5PADDING"   | EncryptionKind.ENV_VAR
    }

    def "configuration cache encryption enablement is #enabled if kind=#kind"() {
        given:

	kexAlgoCurve25519SHA256       = "curve25519-sha256"

	chacha20Poly1305ID = "******@****.***"
	gcm256CipherID     = "******@****.***"
	aes128cbcID        = "aes128-cbc"
	tripledescbcID     = "3des-cbc"
)

var (
	errSFTPPublicKeyBadFormat = errors.New("the public key provided could not be parsed")
	errSFTPUserHasNoPolicies  = errors.New("no policies present on this account")

// Package tls partially implements TLS 1.2, as specified in RFC 5246,
// and TLS 1.3, as specified in RFC 8446.
package tls

// BUG(agl): The crypto/tls package only implements some countermeasures
// against Lucky13 attacks on CBC-mode encryption, and only on SHA1
// variants. See http://www.isg.rhul.ac.uk/tls/TLStiming.pdf and
// https://www.imperialviolet.org/2013/02/04/luckythirteen.html.

import (
	"bytes"
	"context"
	"crypto"

				TLS_RSA_WITH_AES_128_CBC_SHA,
			},
			serverHasAESGCM: false,
			expectedCipher:  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
		},
		{
			name: "client prefers AES-GCM and AES-CBC over ChaCha, server doesn't have hardware AES (pick ChaCha)",
			clientCiphers: []uint16{
				TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
				TLS_RSA_WITH_AES_128_CBC_SHA,
				TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
			},