commit | 4298d773794dcfef675aeeacd970bcc8f2fe406d | [log] [tgz] |
---|---|---|
author | David Benjamin <davidben@chromium.org> | Sat Dec 19 00:18:25 2015 -0500 |
committer | Adam Langley <agl@google.com> | Tue Dec 22 21:51:30 2015 +0000 |
tree | fd5f4ff6a373fe3453f27f940c9adbd5f9c94cf7 | |
parent | c18ef750ee7f6c5a6abdca8b7848286250784a06 [diff] |
Implement draft-ietf-tls-curve25519-01 in C. The new curve is not enabled by default. As EC_GROUP/EC_POINT is a bit too complex for X25519, this introduces an SSL_ECDH_METHOD abstraction which wraps just the raw ECDH operation. It also tidies up some of the curve code which kept converting back and force between NIDs and curve IDs. Now everything transits as curve IDs except for API entry points (SSL_set1_curves) which take NIDs. Those convert immediately and act on curve IDs from then on. Note that, like the Go implementation, this slightly tweaks the order of operations. The client sees the server public key before sending its own. To keep the abstraction simple, SSL_ECDH_METHOD expects to generate a keypair before consuming the peer's public key. Instead, the client handshake stashes the serialized peer public value and defers parsing it until it comes time to send ClientKeyExchange. (This is analogous to what it was doing before where it stashed the parsed peer public value instead.) It still uses TLS 1.2 terminology everywhere, but this abstraction should also be compatible with TLS 1.3 which unifies (EC)DH-style key exchanges. (Accordingly, this abstraction intentionally does not handle parsing the ClientKeyExchange/ServerKeyExchange framing or attempt to handle asynchronous plain RSA or the authentication bits.) BUG=571231 Change-Id: Iba09dddee5bcdfeb2b70185308e8ab0632717932 Reviewed-on: https://boringssl-review.googlesource.com/6780 Reviewed-by: Adam Langley <agl@google.com>
BoringSSL is a fork of OpenSSL that is designed to meet Google's needs.
Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don't recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability.
Programs ship their own copies of BoringSSL when they use it and we update everything as needed when deciding to make API changes. This allows us to mostly avoid compromises in the name of compatibility. It works for us, but it may not work for you.
BoringSSL arose because Google used OpenSSL for many years in various ways and, over time, built up a large number of patches that were maintained while tracking upstream OpenSSL. As Google's product portfolio became more complex, more copies of OpenSSL sprung up and the effort involved in maintaining all these patches in multiple places was growing steadily.
Currently BoringSSL is the SSL library in Chrome/Chromium, Android (but it's not part of the NDK) and a number of other apps/programs.
There are other files in this directory which might be helpful: