RFR: 8328046: Need to keep leading zeros in TlsPremasterSecret of TLS1.3 DHKeyAgreement [v3]
Daniel Jeliński
djelinski at openjdk.org
Mon Dec 15 11:03:33 UTC 2025
On Mon, 15 Dec 2025 10:57:13 GMT, Daniel Jeliński <djelinski at openjdk.org> wrote:
>> TLS 1.3 changed the way it generates the FFDHE shared secret. In TLS 1.2, the leading zeroes in the shared secret were stripped, and in TLS 1.3 the leading zeroes are preserved.
>>
>> Thanks to the recent work in [JDK-8189441](https://bugs.openjdk.org/browse/JDK-8189441), we now have a new algorithm name `Generic` that can be used to generate a shared secret with the leading zeroes preserved.
>>
>> This PR changes the TLS 1.3 handshake to use the new algorithm name.
>>
>> I didn't add any tests to verify the correctness of the handshake. This can be verified using tlsfuzzer, see JBS for details.
>>
>> Tier1-3 tests continue to pass.
>
> Daniel Jeliński has updated the pull request with a new target base due to a merge or a rebase. The pull request now contains five commits:
>
> - Merge branch 'master' into tls13-ffdhe
> - Revert PKCS11 changes
> - Update copyright, add bug IDs
> - Fix PKCS11 DH key derivation
> - Keep leading zeroes in tls13
Things to consider:
- Without this change, roughly 1 in 256 handshakes using FFDHE where the peer is not JSSE-based will fail
- With this change, roughly 1 in 256 handshakes using FFDHE where the peer is an older JSSE version will fail
- JSSE only uses FFDHE as a last resort when ECDHE is not available
- This change will need to be backported together with [JDK-8189441](https://bugs.openjdk.org/browse/JDK-8189441), or not at all
-------------
PR Comment: https://git.openjdk.org/jdk/pull/27343#issuecomment-3655025202
More information about the security-dev
mailing list