cd24a39f1b
dh.c had a 10k-bit limit but it wasn't quite correctly enforced. However, that's still 1.12s of jank on the IO thread, which is too long. Since the SSL code consumes DHE groups from the network, it should be responsible for enforcing what sanity it needs on them. Costs of various bit lengths on 2013 Macbook Air: 1024 - 1.4ms 2048 - 14ms 3072 - 24ms 4096 - 55ms 5000 - 160ms 10000 - 1.12s UMA says that DHE groups are 0.2% 4096-bit and otherwise are 5.5% 2048-bit and 94% 1024-bit and some noise. Set the limit to 4096-bit to be conservative, although that's already quite a lot of jank. BUG=554295 Change-Id: I8e167748a67e4e1adfb62d73dfff094abfa7d215 Reviewed-on: https://boringssl-review.googlesource.com/6464 Reviewed-by: Adam Langley <agl@google.com> |
||
---|---|---|
.. | ||
alert.go | ||
cert.pem | ||
chacha20_poly1305_test.go | ||
chacha20_poly1305.go | ||
channel_id_key.pem | ||
cipher_suites.go | ||
common.go | ||
conn.go | ||
dtls.go | ||
ecdsa_cert.pem | ||
ecdsa_key.pem | ||
handshake_client.go | ||
handshake_messages.go | ||
handshake_server.go | ||
key_agreement.go | ||
key.pem | ||
packet_adapter.go | ||
poly1305.go | ||
prf.go | ||
recordingconn.go | ||
runner_test.go | ||
runner.go | ||
test_output.go | ||
ticket.go | ||
tls.go |