[openssl/openssl] e23b33: Support FFDHE groups in tls1_shared_group
0 views
Skip to first unread message
openssl-machine
Feb 5, 2026, 4:10:42 AM (3 days ago) Feb 5
to openssl...@openssl.org
Branch: refs/heads/master
Home: https://github.com/openssl/openssl
Commit: e23b33a9956b45b61bd447169ddd3841ca9dfd61
https://github.com/openssl/openssl/commit/e23b33a9956b45b61bd447169ddd3841ca9dfd61
Author: Joachim Vandersmissen <g...@jvdsn.com>
Date: 2026-02-05 (Thu, 05 Feb 2026)
Changed paths:
M include/internal/tlsgroups.h
M providers/common/capabilities.c
M ssl/s3_lib.c
M ssl/ssl_local.h
M ssl/statem/statem_srvr.c
M ssl/t1_lib.c
Log Message:
-----------
Support FFDHE groups in tls1_shared_group
Update tls1_shared_group to allow filtering for FFDHE and/or ECDHE
groups. This will be used for implementing RFC 7919 groups support in
the TLS 1.2 server. As defined in RFC 7919:
Codepoints in the "Supported Groups Registry" with a high byte of
0x01 (that is, between 256 and 511, inclusive) are set aside for
FFDHE groups
Reviewed-by: Viktor Dukhovni <vik...@openssl.org>
Reviewed-by: Matt Caswell <ma...@openssl.org>
Reviewed-by: Saša Nedvědický <sas...@openssl.org>
MergeDate: Thu Feb 5 09:09:38 2026
(Merged from https://github.com/openssl/openssl/pull/24551)
Commit: 92131d3afc8d6efc9ff7f6b392fdb9c139fb0ddc
https://github.com/openssl/openssl/commit/92131d3afc8d6efc9ff7f6b392fdb9c139fb0ddc
Author: Joachim Vandersmissen <g...@jvdsn.com>
Date: 2026-02-05 (Thu, 05 Feb 2026)
Changed paths:
M ssl/s3_lib.c
M ssl/ssl_local.h
M ssl/t1_lib.c
M test/sslapitest.c
Log Message:
-----------
Implement first step of RFC7919 in TLS 1.2 server
RFC 7919 states:
If a compatible TLS server receives a Supported Groups extension from
a client that includes any FFDHE group (i.e., any codepoint between
256 and 511, inclusive, even if unknown to the server), and if none
of the client-proposed FFDHE groups are known and acceptable to the
server, then the server MUST NOT select an FFDHE cipher suite.
We implement this behavior by adding a new function that checks this
condition as its inverse: only select FFDHE cipher suites if at least
one of the client-proposed FFDHE groups is known and acceptable, or
if the client did _not_ send any FFDHE groups.
Also add a test to verify two possible outcomes:
1) The client proposes FFDHE and non-FFDHE ciphersuites -> the server
will select a non-FFDHE ciphersuite.
2) The client only proposes FFDHE ciphersuites -> the server will end
the connection.
Reviewed-by: Viktor Dukhovni <vik...@openssl.org>
Reviewed-by: Matt Caswell <ma...@openssl.org>
Reviewed-by: Saša Nedvědický <sas...@openssl.org>
MergeDate: Thu Feb 5 09:09:40 2026
(Merged from https://github.com/openssl/openssl/pull/24551)
Commit: 2af8022aaf799b42e59e2ea3332b41e56a9b9c73
https://github.com/openssl/openssl/commit/2af8022aaf799b42e59e2ea3332b41e56a9b9c73
Author: Joachim Vandersmissen <g...@jvdsn.com>
Date: 2026-02-05 (Thu, 05 Feb 2026)
Changed paths:
M ssl/ssl_lib.c
M ssl/statem/statem_srvr.c
M test/sslapitest.c
M test/tls-provider.c
Log Message:
-----------
Implement second step of RFC7919 in TLS 1.2 server
Before this commit, the logic for generating a temporary DH key for DHE
cipher suites is the following:
1) If dh_tmp_auto is set (see SSL_set_dh_auto), the SSL server
automatically selects a set of DH parameters (P and G) appropriate
for the security level of the cipher suite. The groups are taken from
IKE (RFC 2409 and RFC 3526).
2) Otherwise, if the user provided a pre-generated set of DH parameters
(SSL_set0_tmp_dh_pkey), those parameters are used.
3) Finally, if neither 1) or 2) are applicable, a callback function can
be set using SSL_set_tmp_dh_callback, which will be invoked to
generate the temporary DH parameters. From OpenSSL 3.0, this
functionality is deprecated.
4) Using the parameters from step 1-3, an ephemeral DH key is
generated. The parameters and the public key are sent to the client.
The logic above is updated by inserting an additional step, prior to
step 1:
0) If tls1_shared_group returns any shared known group between the
server and the client, the DH parameters associated with this group
are selected.
This is still compliant with RFC7919, as the server will already have
checked the Supported Groups extension during the ciphersuite selection
process (implemented in the previous commit).
Now, the tests need to be updated: By default, the TLS 1.2 server will
default to RFC7919 groups. To bypass this behavior, the supported groups
on the client side is set to "xorgroup", ensuring that the client does
not advertise any FFDHE group support and the server falls back to the
old logic.
An additional test is also added to ensure that the TLS 1.2 server does
select the right group if the client advertises any of the RFC7919
groups.
Reviewed-by: Viktor Dukhovni <vik...@openssl.org>
Reviewed-by: Matt Caswell <ma...@openssl.org>
Reviewed-by: Saša Nedvědický <sas...@openssl.org>
MergeDate: Thu Feb 5 09:09:41 2026
(Merged from https://github.com/openssl/openssl/pull/24551)
Commit: e9e0480e5da9a374521e55aa2d5faeb1843dd313
https://github.com/openssl/openssl/commit/e9e0480e5da9a374521e55aa2d5faeb1843dd313
Author: Viktor Dukhovni <openss...@dukhovni.org>
Date: 2026-02-05 (Thu, 05 Feb 2026)
Changed paths:
M ssl/ssl_local.h
M ssl/statem/extensions_clnt.c
M ssl/statem/extensions_srvr.c
M ssl/statem/statem_srvr.c
M ssl/t1_lib.c
M test/recipes/70-test_sslmessages.t
M test/recipes/70-test_tls13kexmodes.t
M test/recipes/70-test_tls13messages.t
M test/recipes/75-test_quicapi_data/ssltraceref-zlib.txt
M test/recipes/75-test_quicapi_data/ssltraceref.txt
M test/recipes/80-test_ssl_old.t
M test/recipes/90-test_sslapi_data/ssltraceref-zlib.txt
M test/recipes/90-test_sslapi_data/ssltraceref.txt
M test/ssl_old_test.c
M test/sslapitest.c
Log Message:
-----------
Advertise FFDHE groups also with TLS 1.2-only
When the TLS max version is TLS 1.2, include supported RFC7919 FFDHE
groups in the supported_groups extension, provided we support at least
one DHE key exchange ciphersuite.
Also skip the EC point formats extension when the minimum (D)TLS version
is greater than 1.2. That extension is obsolete as of (D)TLS 1.3.
Finally, folded some extant long lines from the previous RFC7919 commits.
Reviewed-by: Matt Caswell <ma...@openssl.org>
Reviewed-by: Saša Nedvědický <sas...@openssl.org>
MergeDate: Thu Feb 5 09:09:43 2026
(Merged from https://github.com/openssl/openssl/pull/24551)
Commit: 254c4d7ae4df9cd2aa4744fb1310237a6a122bf2
https://github.com/openssl/openssl/commit/254c4d7ae4df9cd2aa4744fb1310237a6a122bf2
Author: Viktor Dukhovni <openss...@dukhovni.org>
Date: 2026-02-05 (Thu, 05 Feb 2026)
Changed paths:
M CHANGES.md
Log Message:
-----------
Added CHANGES.MD entry
Also added a couple of missing markdown quotes around strings with
internal liternal underscores. More remain...
Reviewed-by: Matt Caswell <ma...@openssl.org>
Reviewed-by: Saša Nedvědický <sas...@openssl.org>
MergeDate: Thu Feb 5 09:09:46 2026
(Merged from https://github.com/openssl/openssl/pull/24551)
Compare: https://github.com/openssl/openssl/compare/40d8060c0e8a...254c4d7ae4df
To unsubscribe from these emails, change your notification settings at https://github.com/openssl/openssl/settings/notifications
Home: https://github.com/openssl/openssl
Commit: e23b33a9956b45b61bd447169ddd3841ca9dfd61
https://github.com/openssl/openssl/commit/e23b33a9956b45b61bd447169ddd3841ca9dfd61
Author: Joachim Vandersmissen <g...@jvdsn.com>
Date: 2026-02-05 (Thu, 05 Feb 2026)
Changed paths:
M include/internal/tlsgroups.h
M providers/common/capabilities.c
M ssl/s3_lib.c
M ssl/ssl_local.h
M ssl/statem/statem_srvr.c
M ssl/t1_lib.c
Log Message:
-----------
Support FFDHE groups in tls1_shared_group
Update tls1_shared_group to allow filtering for FFDHE and/or ECDHE
groups. This will be used for implementing RFC 7919 groups support in
the TLS 1.2 server. As defined in RFC 7919:
Codepoints in the "Supported Groups Registry" with a high byte of
0x01 (that is, between 256 and 511, inclusive) are set aside for
FFDHE groups
Reviewed-by: Viktor Dukhovni <vik...@openssl.org>
Reviewed-by: Matt Caswell <ma...@openssl.org>
Reviewed-by: Saša Nedvědický <sas...@openssl.org>
MergeDate: Thu Feb 5 09:09:38 2026
(Merged from https://github.com/openssl/openssl/pull/24551)
Commit: 92131d3afc8d6efc9ff7f6b392fdb9c139fb0ddc
https://github.com/openssl/openssl/commit/92131d3afc8d6efc9ff7f6b392fdb9c139fb0ddc
Author: Joachim Vandersmissen <g...@jvdsn.com>
Date: 2026-02-05 (Thu, 05 Feb 2026)
Changed paths:
M ssl/s3_lib.c
M ssl/ssl_local.h
M ssl/t1_lib.c
M test/sslapitest.c
Log Message:
-----------
Implement first step of RFC7919 in TLS 1.2 server
RFC 7919 states:
If a compatible TLS server receives a Supported Groups extension from
a client that includes any FFDHE group (i.e., any codepoint between
256 and 511, inclusive, even if unknown to the server), and if none
of the client-proposed FFDHE groups are known and acceptable to the
server, then the server MUST NOT select an FFDHE cipher suite.
We implement this behavior by adding a new function that checks this
condition as its inverse: only select FFDHE cipher suites if at least
one of the client-proposed FFDHE groups is known and acceptable, or
if the client did _not_ send any FFDHE groups.
Also add a test to verify two possible outcomes:
1) The client proposes FFDHE and non-FFDHE ciphersuites -> the server
will select a non-FFDHE ciphersuite.
2) The client only proposes FFDHE ciphersuites -> the server will end
the connection.
Reviewed-by: Viktor Dukhovni <vik...@openssl.org>
Reviewed-by: Matt Caswell <ma...@openssl.org>
Reviewed-by: Saša Nedvědický <sas...@openssl.org>
MergeDate: Thu Feb 5 09:09:40 2026
(Merged from https://github.com/openssl/openssl/pull/24551)
Commit: 2af8022aaf799b42e59e2ea3332b41e56a9b9c73
https://github.com/openssl/openssl/commit/2af8022aaf799b42e59e2ea3332b41e56a9b9c73
Author: Joachim Vandersmissen <g...@jvdsn.com>
Date: 2026-02-05 (Thu, 05 Feb 2026)
Changed paths:
M ssl/ssl_lib.c
M ssl/statem/statem_srvr.c
M test/sslapitest.c
M test/tls-provider.c
Log Message:
-----------
Implement second step of RFC7919 in TLS 1.2 server
Before this commit, the logic for generating a temporary DH key for DHE
cipher suites is the following:
1) If dh_tmp_auto is set (see SSL_set_dh_auto), the SSL server
automatically selects a set of DH parameters (P and G) appropriate
for the security level of the cipher suite. The groups are taken from
IKE (RFC 2409 and RFC 3526).
2) Otherwise, if the user provided a pre-generated set of DH parameters
(SSL_set0_tmp_dh_pkey), those parameters are used.
3) Finally, if neither 1) or 2) are applicable, a callback function can
be set using SSL_set_tmp_dh_callback, which will be invoked to
generate the temporary DH parameters. From OpenSSL 3.0, this
functionality is deprecated.
4) Using the parameters from step 1-3, an ephemeral DH key is
generated. The parameters and the public key are sent to the client.
The logic above is updated by inserting an additional step, prior to
step 1:
0) If tls1_shared_group returns any shared known group between the
server and the client, the DH parameters associated with this group
are selected.
This is still compliant with RFC7919, as the server will already have
checked the Supported Groups extension during the ciphersuite selection
process (implemented in the previous commit).
Now, the tests need to be updated: By default, the TLS 1.2 server will
default to RFC7919 groups. To bypass this behavior, the supported groups
on the client side is set to "xorgroup", ensuring that the client does
not advertise any FFDHE group support and the server falls back to the
old logic.
An additional test is also added to ensure that the TLS 1.2 server does
select the right group if the client advertises any of the RFC7919
groups.
Reviewed-by: Viktor Dukhovni <vik...@openssl.org>
Reviewed-by: Matt Caswell <ma...@openssl.org>
Reviewed-by: Saša Nedvědický <sas...@openssl.org>
MergeDate: Thu Feb 5 09:09:41 2026
(Merged from https://github.com/openssl/openssl/pull/24551)
Commit: e9e0480e5da9a374521e55aa2d5faeb1843dd313
https://github.com/openssl/openssl/commit/e9e0480e5da9a374521e55aa2d5faeb1843dd313
Author: Viktor Dukhovni <openss...@dukhovni.org>
Date: 2026-02-05 (Thu, 05 Feb 2026)
Changed paths:
M ssl/ssl_local.h
M ssl/statem/extensions_clnt.c
M ssl/statem/extensions_srvr.c
M ssl/statem/statem_srvr.c
M ssl/t1_lib.c
M test/recipes/70-test_sslmessages.t
M test/recipes/70-test_tls13kexmodes.t
M test/recipes/70-test_tls13messages.t
M test/recipes/75-test_quicapi_data/ssltraceref-zlib.txt
M test/recipes/75-test_quicapi_data/ssltraceref.txt
M test/recipes/80-test_ssl_old.t
M test/recipes/90-test_sslapi_data/ssltraceref-zlib.txt
M test/recipes/90-test_sslapi_data/ssltraceref.txt
M test/ssl_old_test.c
M test/sslapitest.c
Log Message:
-----------
Advertise FFDHE groups also with TLS 1.2-only
When the TLS max version is TLS 1.2, include supported RFC7919 FFDHE
groups in the supported_groups extension, provided we support at least
one DHE key exchange ciphersuite.
Also skip the EC point formats extension when the minimum (D)TLS version
is greater than 1.2. That extension is obsolete as of (D)TLS 1.3.
Finally, folded some extant long lines from the previous RFC7919 commits.
Reviewed-by: Matt Caswell <ma...@openssl.org>
Reviewed-by: Saša Nedvědický <sas...@openssl.org>
MergeDate: Thu Feb 5 09:09:43 2026
(Merged from https://github.com/openssl/openssl/pull/24551)
Commit: 254c4d7ae4df9cd2aa4744fb1310237a6a122bf2
https://github.com/openssl/openssl/commit/254c4d7ae4df9cd2aa4744fb1310237a6a122bf2
Author: Viktor Dukhovni <openss...@dukhovni.org>
Date: 2026-02-05 (Thu, 05 Feb 2026)
Changed paths:
M CHANGES.md
Log Message:
-----------
Added CHANGES.MD entry
Also added a couple of missing markdown quotes around strings with
internal liternal underscores. More remain...
Reviewed-by: Matt Caswell <ma...@openssl.org>
Reviewed-by: Saša Nedvědický <sas...@openssl.org>
MergeDate: Thu Feb 5 09:09:46 2026
(Merged from https://github.com/openssl/openssl/pull/24551)
Compare: https://github.com/openssl/openssl/compare/40d8060c0e8a...254c4d7ae4df
To unsubscribe from these emails, change your notification settings at https://github.com/openssl/openssl/settings/notifications
Reply all
Reply to author
Forward
0 new messages