Commit e6a9a6e998 for openssl.org
commit e6a9a6e998db30330adf5bc0f3803a715f99fc99
Author: Viktor Dukhovni <openssl-users@dukhovni.org>
Date: Mon Feb 23 15:49:06 2026 +1100
Simplify and expand default group list
With keyshare floating, we no longer need CPP conditions to get the
right keyshare prediction defaults.
Also add "curveSM2" near the end of the list, after the stronger ECX and
EC groups, but before FFDHE.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Feb 25 11:08:17 2026
(Merged from https://github.com/openssl/openssl/pull/30113)
diff --git a/CHANGES.md b/CHANGES.md
index 044b3b2f64..7f0e019021 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -32,6 +32,23 @@ OpenSSL 4.0
### Changes between 3.6 and 4.0 [xx XXX xxxx]
+ * Updated the default group list to append `SecP256r1MKEM768` and
+ `curveSM2MLKEM768` to the first tuple in that order after `*X25519MLKEM768`.
+ Also inserted a penultimate tuple with `curveSM2` (just before the `FFDHE`
+ groups).
+
+ *Viktor Dukhovni*
+
+ * Implemented client-side predicted keyshare floating. When a tuple loses
+ the last element that was tagged for transmission of a predicted client
+ keyshare (by default `*X25519MLKEM768` and `*X25519` in their respective
+ tuples), either because the group is not enabled at compile-time, or
+ because it is removed by configuration (e.g. `DEFAULT:-<groupname>`), if
+ the tuple remains non-empty, the keyshare is inherited by the first (i.e.
+ most preferred) remaining element of the tuple.
+
+ *Viktor Dukhovni*
+
* Added support for [RFC8998], signature algorithm `sm2sig_sm3`, key exchange
group `curveSM2`, and [tls-hybrid-sm2-mlkem] post-quantum group
`curveSM2MLKEM768`.
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 6303129054..c077aa5722 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -205,18 +205,12 @@ static const unsigned char ecformats_all[] = {
/* Group list string of the built-in pseudo group DEFAULT */
#define DEFAULT_GROUP_NAME "DEFAULT"
-#ifndef OPENSSL_NO_ECX
#define TLS_DEFAULT_GROUP_LIST \
"?*X25519MLKEM768:?SecP256r1MLKEM768:?curveSM2MLKEM768 / " \
"?*X25519:?secp256r1 / " \
"?X448:?secp384r1:?secp521r1 / " \
+ "?curveSM2 / " \
"?ffdhe2048:?ffdhe3072"
-#else
-#define TLS_DEFAULT_GROUP_LIST \
- "?*SecP256r1MLKEM768:?curveSM2MLKEM768 / " \
- "?*secp256r1 / ?secp384r1:?secp521r1 / " \
- "?ffdhe2048:?ffdhe3072"
-#endif
static const uint16_t suiteb_curves[] = {
OSSL_TLS_GROUP_ID_secp256r1,
diff --git a/test/recipes/75-test_quicapi_data/ssltraceref-zlib.txt b/test/recipes/75-test_quicapi_data/ssltraceref-zlib.txt
index faea976b90..bd8d4c2f6c 100644
--- a/test/recipes/75-test_quicapi_data/ssltraceref-zlib.txt
+++ b/test/recipes/75-test_quicapi_data/ssltraceref-zlib.txt
@@ -19,7 +19,7 @@ Header:
000f - 01 02 04 04 80 0c 00 00-05 04 80 08 00 00 06 ...............
001e - 04 80 08 00 00 07 04 80-08 00 00 08 02 40 64 .............@d
002d - 09 02 40 64 ..@d
- extension_type=supported_groups(10), length=22
+ extension_type=supported_groups(10), length=24
X25519MLKEM768 (4588)
SecP256r1MLKEM768 (4587)
curveSM2MLKEM768 (4590)
@@ -28,6 +28,7 @@ Header:
ecdh_x448 (30)
secp384r1 (P-384) (24)
secp521r1 (P-521) (25)
+ curveSM2 (41)
ffdhe2048 (256)
ffdhe3072 (257)
extension_type=session_ticket(35), length=0
diff --git a/test/recipes/75-test_quicapi_data/ssltraceref.txt b/test/recipes/75-test_quicapi_data/ssltraceref.txt
index 56c395b15a..c453344987 100644
--- a/test/recipes/75-test_quicapi_data/ssltraceref.txt
+++ b/test/recipes/75-test_quicapi_data/ssltraceref.txt
@@ -19,7 +19,7 @@ Header:
000f - 01 02 04 04 80 0c 00 00-05 04 80 08 00 00 06 ...............
001e - 04 80 08 00 00 07 04 80-08 00 00 08 02 40 64 .............@d
002d - 09 02 40 64 ..@d
- extension_type=supported_groups(10), length=22
+ extension_type=supported_groups(10), length=24
X25519MLKEM768 (4588)
SecP256r1MLKEM768 (4587)
curveSM2MLKEM768 (4590)
@@ -28,6 +28,7 @@ Header:
ecdh_x448 (30)
secp384r1 (P-384) (24)
secp521r1 (P-521) (25)
+ curveSM2 (41)
ffdhe2048 (256)
ffdhe3072 (257)
extension_type=session_ticket(35), length=0