RFR: 8328046: Need to keep leading zeros in TlsPremasterSecret of TLS1.3 DHKeyAgreement
Daniel Jeliński
djelinski at openjdk.org
Thu Sep 25 15:04:19 UTC 2025
On Wed, 17 Sep 2025 12:15:10 GMT, Daniel Jeliński <djelinski at openjdk.org> wrote:
> TLS 1.3 changed the way it generates the FFDHE shared secret. In TLS 1.2, the leading zeroes in the shared secret were stripped, and in TLS 1.3 the leading zeroes are preserved.
>
> Thanks to the recent work in [JDK-8189441](https://bugs.openjdk.org/browse/JDK-8189441), we now have a new algorithm name `Generic` that can be used to generate a shared secret with the leading zeroes preserved.
>
> This PR changes the TLS 1.3 handshake to use the new algorithm name. It also fixes a bug in PKCS11 Generic key derivation, and updates the existing tests to verify that the Generic algorithm doesn't strip leading zeroes.
>
> I didn't add any tests to verify the correctness of the handshake. This can be verified using tlsfuzzer, see JBS for details.
>
> Tier1-3 tests continue to pass. The `TestLeadingZeroesP11.java` test fails before the `P11KeyAgreement.java` changes, passes after.
On second thought, I'll move the PKCS11 changes to a separate issue.
-------------
PR Comment: https://git.openjdk.org/jdk/pull/27343#issuecomment-3334619347
More information about the security-dev
mailing list