Rename uses 'curve' to 'group' and rework tls1 group API.

This reworks various tls1_ curve APIs to indicate success via a boolean
return value and move the output to an out parameter. This makes the
caller code easier and more consistent.

Based on a suggestion by jsing

ok jsing

12 files changed, 204 insertions, 162 deletions

diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 4575a141cf..cfd50e66be 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.233 2022/06/29 21:18:04 tb Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.234 2022/07/02 16:00:12 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -2494,13 +2494,13 @@ ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
         STACK_OF(SSL_CIPHER) *prio, *allow;
         SSL_CIPHER *c, *ret = NULL;
         int can_use_ecc;
-        int i, ii, ok;
+        int i, ii, nid, ok;
         SSL_CERT *cert;
 
         /* Let's see which ciphers we can support */
         cert = s->cert;
 
-        can_use_ecc = (tls1_get_shared_curve(s) != NID_undef);
+        can_use_ecc = tls1_get_supported_group(s, &nid);
 
         /*
          * Do not set the compare functions, because this may lead to a
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index 604b55277c..8fe416b74a 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.149 2022/06/30 11:17:49 tb Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.150 2022/07/02 16:00:12 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1271,13 +1271,13 @@ static int
 ssl3_get_server_kex_ecdhe(SSL *s, CBS *cbs)
 {
         uint8_t curve_type;
-        uint16_t curve_id;
+        uint16_t group_id;
         int decode_error;
         CBS public;
 
         if (!CBS_get_u8(cbs, &curve_type))
                 goto decode_err;
-        if (!CBS_get_u16(cbs, &curve_id))
+        if (!CBS_get_u16(cbs, &group_id))
                 goto decode_err;
 
         /* Only named curves are supported. */
@@ -1291,17 +1291,17 @@ ssl3_get_server_kex_ecdhe(SSL *s, CBS *cbs)
                 goto decode_err;
 
         /*
-         * Check that the curve is one of our preferences - if it is not,
-         * the server has sent us an invalid curve.
+         * Check that the group is one of our preferences - if it is not,
+         * the server has sent us an invalid group.
          */
-        if (!tls1_check_curve(s, curve_id)) {
+        if (!tls1_check_group(s, group_id)) {
                 SSLerror(s, SSL_R_WRONG_CURVE);
                 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
                 goto err;
         }
 
         tls_key_share_free(s->s3->hs.key_share);
-        if ((s->s3->hs.key_share = tls_key_share_new(curve_id)) == NULL)
+        if ((s->s3->hs.key_share = tls_key_share_new(group_id)) == NULL)
                 goto err;
 
         if (!tls_key_share_peer_public(s->s3->hs.key_share, &public,
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index d3e600b6b7..a2ca99c02d 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.409 2022/06/30 16:05:07 tb Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.410 2022/07/02 16:00:12 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1306,7 +1306,7 @@ int ssl_security_cert(const SSL_CTX *ctx, const SSL *ssl, X509 *x509,
     int is_peer, int *out_error);
 int ssl_security_cert_chain(const SSL *ssl, STACK_OF(X509) *sk,
     X509 *x509, int *out_error);
-int ssl_security_supported_group(const SSL *ssl, uint16_t curve_id);
+int ssl_security_supported_group(const SSL *ssl, uint16_t group_id);
 
 int ssl_get_new_session(SSL *s, int session);
 int ssl_get_prev_session(SSL *s, CBS *session_id, CBS *ext_block,
@@ -1515,11 +1515,11 @@ int tls1_set_groups(uint16_t **out_group_ids, size_t *out_group_ids_len,
 int tls1_set_group_list(uint16_t **out_group_ids, size_t *out_group_ids_len,
     const char *groups);
 
-int tls1_ec_curve_id2nid(const uint16_t curve_id);
-int tls1_ec_curve_id2bits(const uint16_t curve_id);
-uint16_t tls1_ec_nid2curve_id(const int nid);
-int tls1_check_curve(SSL *s, const uint16_t group_id);
-int tls1_get_shared_curve(SSL *s);
+int tls1_ec_group_id2nid(uint16_t group_id, int *out_nid);
+int tls1_ec_group_id2bits(uint16_t group_id, int *out_bits);
+int tls1_ec_nid2group_id(int nid, uint16_t *out_group_id);
+int tls1_check_group(SSL *s, uint16_t group_id);
+int tls1_get_supported_group(SSL *s, int *group_nid);
 
 int ssl_check_clienthello_tlsext_early(SSL *s);
 int ssl_check_clienthello_tlsext_late(SSL *s);
diff --git a/src/lib/libssl/ssl_seclevel.c b/src/lib/libssl/ssl_seclevel.c
index 35f8b8891b..2e0b74141f 100644
--- a/src/lib/libssl/ssl_seclevel.c
+++ b/src/lib/libssl/ssl_seclevel.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ssl_seclevel.c,v 1.14 2022/06/30 16:05:07 tb Exp $ */
+/*      $OpenBSD: ssl_seclevel.c,v 1.15 2022/07/02 16:00:12 tb Exp $ */
 /*
  * Copyright (c) 2020 Theo Buehler <tb@openbsd.org>
  *
@@ -401,23 +401,23 @@ ssl_security_cert_chain(const SSL *ssl, STACK_OF(X509) *sk, X509 *x509,
 }
 
 int
-ssl_security_supported_group(const SSL *ssl, uint16_t curve_id)
+ssl_security_supported_group(const SSL *ssl, uint16_t group_id)
 {
         CBB cbb;
         int bits, nid;
-        uint8_t curve[2];
+        uint8_t group[2];
 
-        if ((bits = tls1_ec_curve_id2bits(curve_id)) == 0)
+        if (!tls1_ec_group_id2bits(group_id, &bits))
                 return 0;
-        if ((nid = tls1_ec_curve_id2nid(curve_id)) == NID_undef)
+        if (!tls1_ec_group_id2nid(group_id, &nid))
                 return 0;
 
-        if (!CBB_init_fixed(&cbb, curve, sizeof(curve)))
+        if (!CBB_init_fixed(&cbb, group, sizeof(group)))
                 return 0;
-        if (!CBB_add_u16(&cbb, curve_id))
+        if (!CBB_add_u16(&cbb, group_id))
                 return 0;
         if (!CBB_finish(&cbb, NULL, NULL))
                 return 0;
 
-        return ssl_security(ssl, SSL_SECOP_CURVE_SUPPORTED, bits, nid, curve);
+        return ssl_security(ssl, SSL_SECOP_CURVE_SUPPORTED, bits, nid, group);
 }
diff --git a/src/lib/libssl/ssl_sigalgs.c b/src/lib/libssl/ssl_sigalgs.c
index 9c38a076ac..754d76e72a 100644
--- a/src/lib/libssl/ssl_sigalgs.c
+++ b/src/lib/libssl/ssl_sigalgs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sigalgs.c,v 1.45 2022/06/29 07:55:59 tb Exp $ */
+/* $OpenBSD: ssl_sigalgs.c,v 1.46 2022/07/02 16:00:12 tb Exp $ */
 /*
  * Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org>
  * Copyright (c) 2021 Joel Sing <jsing@openbsd.org>
@@ -39,7 +39,7 @@ const struct ssl_sigalg sigalgs[] = {
                 .key_type = EVP_PKEY_EC,
                 .md = EVP_sha512,
                 .security_level = 5,
-                .curve_nid = NID_secp521r1,
+                .group_nid = NID_secp521r1,
         },
 #ifndef OPENSSL_NO_GOST
         {
@@ -60,7 +60,7 @@ const struct ssl_sigalg sigalgs[] = {
                 .key_type = EVP_PKEY_EC,
                 .md = EVP_sha384,
                 .security_level = 4,
-                .curve_nid = NID_secp384r1,
+                .group_nid = NID_secp384r1,
         },
         {
                 .value = SIGALG_RSA_PKCS1_SHA256,
@@ -73,7 +73,7 @@ const struct ssl_sigalg sigalgs[] = {
                 .key_type = EVP_PKEY_EC,
                 .md = EVP_sha256,
                 .security_level = 3,
-                .curve_nid = NID_X9_62_prime256v1,
+                .group_nid = NID_X9_62_prime256v1,
         },
 #ifndef OPENSSL_NO_GOST
         {
@@ -321,12 +321,12 @@ ssl_sigalg_pkey_ok(SSL *s, const struct ssl_sigalg *sigalg, EVP_PKEY *pkey)
             (sigalg->flags & SIGALG_FLAG_RSA_PSS) == 0)
                 return 0;
 
-        /* Ensure that curve matches for EC keys. */
+        /* Ensure that group matches for EC keys. */
         if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
-                if (sigalg->curve_nid == 0)
+                if (sigalg->group_nid == 0)
                         return 0;
                 if (EC_GROUP_get_curve_name(EC_KEY_get0_group(
-                    EVP_PKEY_get0_EC_KEY(pkey))) != sigalg->curve_nid)
+                    EVP_PKEY_get0_EC_KEY(pkey))) != sigalg->group_nid)
                         return 0;
         }
 
diff --git a/src/lib/libssl/ssl_sigalgs.h b/src/lib/libssl/ssl_sigalgs.h
index 5be2122906..21a54d642b 100644
--- a/src/lib/libssl/ssl_sigalgs.h
+++ b/src/lib/libssl/ssl_sigalgs.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sigalgs.h,v 1.25 2022/06/29 07:53:58 tb Exp $ */
+/* $OpenBSD: ssl_sigalgs.h,v 1.26 2022/07/02 16:00:12 tb Exp $ */
 /*
  * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org>
  *
@@ -65,7 +65,7 @@ struct ssl_sigalg {
         int key_type;
         const EVP_MD *(*md)(void);
         int security_level;
-        int curve_nid;
+        int group_nid;
         int flags;
 };
 
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index 8f110831e4..526d9e678b 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.146 2022/06/30 11:17:50 tb Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.147 2022/07/02 16:00:12 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1380,7 +1380,7 @@ ssl3_send_server_kex_ecdhe(SSL *s, CBB *cbb)
         CBB public;
         int nid;
 
-        if ((nid = tls1_get_shared_curve(s)) == NID_undef) {
+        if (!tls1_get_supported_group(s, &nid)) {
                 SSLerror(s, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
                 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
                 goto err;
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index 88d26fd326..7457925572 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.117 2022/06/30 16:05:07 tb Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.118 2022/07/02 16:00:12 tb Exp $ */
 /*
  * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -1516,7 +1516,7 @@ tlsext_keyshare_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
                         continue;
 
                 /* XXX - consider implementing server preference. */
-                if (!tls1_check_curve(s, group))
+                if (!tls1_check_group(s, group))
                         continue;
 
                 /* Decode and store the selected key share. */
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index 9748901268..beaaae1eb0 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_lib.c,v 1.190 2022/07/02 15:53:37 tb Exp $ */
+/* $OpenBSD: t1_lib.c,v 1.191 2022/07/02 16:00:12 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -150,12 +150,16 @@ tls1_clear(SSL *s)
         s->version = s->method->version;
 }
 
-struct curve {
+struct supported_group {
         int nid;
         int bits;
 };
 
-static const struct curve nid_list[] = {
+/*
+ * Supported groups (formerly known as named curves)
+ * https://www.iana.org/assignments/tls-parameters/#tls-parameters-8
+ */
+static const struct supported_group nid_list[] = {
         [1] = {
                 .nid = NID_sect163k1,
                 .bits = 80,
@@ -274,6 +278,8 @@ static const struct curve nid_list[] = {
         },
 };
 
+#define NID_LIST_LEN (sizeof(nid_list) / sizeof(nid_list[0]))
+
 #if 0
 static const uint8_t ecformats_list[] = {
         TLSEXT_ECPOINTFORMAT_uncompressed,
@@ -287,7 +293,7 @@ static const uint8_t ecformats_default[] = {
 };
 
 #if 0
-static const uint16_t eccurves_list[] = {
+static const uint16_t ecgroups_list[] = {
         29,                     /* X25519 (29) */
         14,                     /* sect571r1 (14) */
         13,                     /* sect571k1 (13) */
@@ -320,116 +326,155 @@ static const uint16_t eccurves_list[] = {
 };
 #endif
 
-static const uint16_t eccurves_client_default[] = {
+static const uint16_t ecgroups_client_default[] = {
         29,                     /* X25519 (29) */
         23,                     /* secp256r1 (23) */
         24,                     /* secp384r1 (24) */
         25,                     /* secp521r1 (25) */
 };
 
-static const uint16_t eccurves_server_default[] = {
+static const uint16_t ecgroups_server_default[] = {
         29,                     /* X25519 (29) */
         23,                     /* secp256r1 (23) */
         24,                     /* secp384r1 (24) */
 };
 
 int
-tls1_ec_curve_id2nid(const uint16_t curve_id)
+tls1_ec_group_id2nid(uint16_t group_id, int *out_nid)
 {
-        const struct curve *curve;
+        const struct supported_group *group;
 
-        /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
-        if ((curve_id < 1) ||
-            ((unsigned int)curve_id >= sizeof(nid_list) / sizeof(nid_list[0])))
-                return NID_undef;
+        if (group_id < 1 || group_id >= NID_LIST_LEN)
+                return 0;
+
+        if ((group = &nid_list[group_id]) == NULL)
+                return 0;
 
-        if ((curve = &nid_list[curve_id]) == NULL)
-                return NID_undef;
+        *out_nid = group->nid;
 
-        return curve->nid;
+        return 1;
 }
 
 int
-tls1_ec_curve_id2bits(const uint16_t curve_id)
+tls1_ec_group_id2bits(uint16_t group_id, int *out_bits)
 {
-        const struct curve *curve;
+        const struct supported_group *group;
 
-        if ((curve_id < 1) ||
-            ((unsigned int)curve_id >= sizeof(nid_list) / sizeof(nid_list[0])))
+        if (group_id < 1 || group_id >= NID_LIST_LEN)
                 return 0;
 
-        if ((curve = &nid_list[curve_id]) == NULL)
+        if ((group = &nid_list[group_id]) == NULL)
                 return 0;
 
-        return curve->bits;
+        *out_bits = group->bits;
+
+        return 1;
 }
 
-uint16_t
-tls1_ec_nid2curve_id(const int nid)
+int
+tls1_ec_nid2group_id(const int nid, uint16_t *out_group_id)
 {
-        /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
+        uint16_t group_id;
+
         switch (nid) {
-        case NID_sect163k1: /* sect163k1 (1) */
-                return 1;
-        case NID_sect163r1: /* sect163r1 (2) */
-                return 2;
-        case NID_sect163r2: /* sect163r2 (3) */
-                return 3;
-        case NID_sect193r1: /* sect193r1 (4) */
-                return 4;
-        case NID_sect193r2: /* sect193r2 (5) */
-                return 5;
-        case NID_sect233k1: /* sect233k1 (6) */
-                return 6;
-        case NID_sect233r1: /* sect233r1 (7) */
-                return 7;
-        case NID_sect239k1: /* sect239k1 (8) */
-                return 8;
-        case NID_sect283k1: /* sect283k1 (9) */
-                return 9;
-        case NID_sect283r1: /* sect283r1 (10) */
-                return 10;
-        case NID_sect409k1: /* sect409k1 (11) */
-                return 11;
-        case NID_sect409r1: /* sect409r1 (12) */
-                return 12;
-        case NID_sect571k1: /* sect571k1 (13) */
-                return 13;
-        case NID_sect571r1: /* sect571r1 (14) */
-                return 14;
-        case NID_secp160k1: /* secp160k1 (15) */
-                return 15;
-        case NID_secp160r1: /* secp160r1 (16) */
-                return 16;
-        case NID_secp160r2: /* secp160r2 (17) */
-                return 17;
-        case NID_secp192k1: /* secp192k1 (18) */
-                return 18;
-        case NID_X9_62_prime192v1: /* secp192r1 (19) */
-                return 19;
-        case NID_secp224k1: /* secp224k1 (20) */
-                return 20;
-        case NID_secp224r1: /* secp224r1 (21) */
-                return 21;
-        case NID_secp256k1: /* secp256k1 (22) */
-                return 22;
-        case NID_X9_62_prime256v1: /* secp256r1 (23) */
-                return 23;
-        case NID_secp384r1: /* secp384r1 (24) */
-                return 24;
-        case NID_secp521r1: /* secp521r1 (25) */
-                return 25;
-        case NID_brainpoolP256r1: /* brainpoolP256r1 (26) */
-                return 26;
-        case NID_brainpoolP384r1: /* brainpoolP384r1 (27) */
-                return 27;
-        case NID_brainpoolP512r1: /* brainpoolP512r1 (28) */
-                return 28;
-        case NID_X25519:                /* X25519 (29) */
-                return 29;
+        case NID_sect163k1:
+                group_id = 1;
+                break;
+        case NID_sect163r1:
+                group_id = 2;
+                break;
+        case NID_sect163r2:
+                group_id = 3;
+                break;
+        case NID_sect193r1:
+                group_id = 4;
+                break;
+        case NID_sect193r2:
+                group_id = 5;
+                break;
+        case NID_sect233k1:
+                group_id = 6;
+                break;
+        case NID_sect233r1:
+                group_id = 7;
+                break;
+        case NID_sect239k1:
+                group_id = 8;
+                break;
+        case NID_sect283k1:
+                group_id = 9;
+                break;
+        case NID_sect283r1:
+                group_id = 10;
+                break;
+        case NID_sect409k1:
+                group_id = 11;
+                break;
+        case NID_sect409r1:
+                group_id = 12;
+                break;
+        case NID_sect571k1:
+                group_id = 13;
+                break;
+        case NID_sect571r1:
+                group_id = 14;
+                break;
+        case NID_secp160k1:
+                group_id = 15;
+                break;
+        case NID_secp160r1:
+                group_id = 16;
+                break;
+        case NID_secp160r2:
+                group_id = 17;
+                break;
+        case NID_secp192k1:
+                group_id = 18;
+                break;
+        case NID_X9_62_prime192v1: /* aka secp192r1 */
+                group_id = 19;
+                break;
+        case NID_secp224k1:
+                group_id = 20;
+                break;
+        case NID_secp224r1:
+                group_id = 21;
+                break;
+        case NID_secp256k1:
+                group_id = 22;
+                break;
+        case NID_X9_62_prime256v1: /* aka secp256r1 */
+                group_id = 23;
+                break;
+        case NID_secp384r1:
+                group_id = 24;
+                break;
+        case NID_secp521r1:
+                group_id = 25;
+                break;
+        case NID_brainpoolP256r1:
+                group_id = 26;
+                break;
+        case NID_brainpoolP384r1:
+                group_id = 27;
+                break;
+        case NID_brainpoolP512r1:
+                group_id = 28;
+                break;
+        case NID_X25519:
+                group_id = 29;
+                break;
         default:
-                return 0;
+                group_id = 0;
+                break;
         }
+
+        if (group_id == 0)
+                return 0;
+
+        *out_group_id = group_id;
+
+        return 1;
 }
 
 /*
@@ -476,11 +521,11 @@ tls1_get_group_list(SSL *s, int client_groups, const uint16_t **pgroups,
                 return;
 
         if (!s->server) {
-                *pgroups = eccurves_client_default;
-                *pgroupslen = sizeof(eccurves_client_default) / 2;
+                *pgroups = ecgroups_client_default;
+                *pgroupslen = sizeof(ecgroups_client_default) / 2;
         } else {
-                *pgroups = eccurves_server_default;
-                *pgroupslen = sizeof(eccurves_server_default) / 2;
+                *pgroups = ecgroups_server_default;
+                *pgroupslen = sizeof(ecgroups_server_default) / 2;
         }
 }
 
@@ -491,13 +536,11 @@ tls1_set_groups(uint16_t **out_group_ids, size_t *out_group_ids_len,
         uint16_t *group_ids;
         size_t i;
 
-        group_ids = calloc(ngroups, sizeof(uint16_t));
-        if (group_ids == NULL)
+        if ((group_ids = calloc(ngroups, sizeof(uint16_t))) == NULL)
                 return 0;
 
         for (i = 0; i < ngroups; i++) {
-                group_ids[i] = tls1_ec_nid2curve_id(groups[i]);
-                if (group_ids[i] == 0) {
+                if (!tls1_ec_nid2group_id(groups[i], &group_ids[i])) {
                         free(group_ids);
                         return 0;
                 }
@@ -537,8 +580,7 @@ tls1_set_group_list(uint16_t **out_group_ids, size_t *out_group_ids_len,
                         goto err;
                 group_ids = new_group_ids;
 
-                group_ids[ngroups] = tls1_ec_nid2curve_id(nid);
-                if (group_ids[ngroups] == 0)
+                if (!tls1_ec_nid2group_id(nid, &group_ids[ngroups]))
                         goto err;
 
                 ngroups++;
@@ -558,9 +600,9 @@ tls1_set_group_list(uint16_t **out_group_ids, size_t *out_group_ids_len,
         return 0;
 }
 
-/* Check that a curve is one of our preferences. */
+/* Check that a group is one of our preferences. */
 int
-tls1_check_curve(SSL *s, const uint16_t curve_id)
+tls1_check_group(SSL *s, uint16_t group_id)
 {
         const uint16_t *groups;
         size_t groupslen, i;
@@ -570,14 +612,14 @@ tls1_check_curve(SSL *s, const uint16_t curve_id)
         for (i = 0; i < groupslen; i++) {
                 if (!ssl_security_supported_group(s, groups[i]))
                         continue;
-                if (groups[i] == curve_id)
-                        return (1);
+                if (groups[i] == group_id)
+                        return 1;
         }
-        return (0);
+        return 0;
 }
 
 int
-tls1_get_shared_curve(SSL *s)
+tls1_get_supported_group(SSL *s, int *out_nid)
 {
         size_t preflen, supplen, i, j;
         const uint16_t *pref, *supp;
@@ -585,9 +627,9 @@ tls1_get_shared_curve(SSL *s)
 
         /* Cannot do anything on the client side. */
         if (s->server == 0)
-                return (NID_undef);
+                return 0;
 
-        /* Return first preference shared curve. */
+        /* Return first preference supported group. */
         server_pref = (s->internal->options & SSL_OP_CIPHER_SERVER_PREFERENCE);
         tls1_get_group_list(s, (server_pref == 0), &pref, &preflen);
         tls1_get_group_list(s, (server_pref != 0), &supp, &supplen);
@@ -597,15 +639,15 @@ tls1_get_shared_curve(SSL *s)
                         continue;
                 for (j = 0; j < supplen; j++) {
                         if (pref[i] == supp[j])
-                                return (tls1_ec_curve_id2nid(pref[i]));
+                                return tls1_ec_group_id2nid(pref[i], out_nid);
                 }
         }
-        return (NID_undef);
+        return 0;
 }
 
 /* For an EC key set TLS ID and required compression based on parameters. */
 static int
-tls1_set_ec_id(uint16_t *curve_id, uint8_t *comp_id, EC_KEY *ec)
+tls1_set_ec_id(uint16_t *group_id, uint8_t *comp_id, EC_KEY *ec)
 {
         const EC_GROUP *grp;
         const EC_METHOD *meth;
@@ -615,18 +657,18 @@ tls1_set_ec_id(uint16_t *curve_id, uint8_t *comp_id, EC_KEY *ec)
         if (ec == NULL)
                 return (0);
 
-        /* Determine whether the curve is defined over a prime field. */
+        /* Determine whether the group is defined over a prime field. */
         if ((grp = EC_KEY_get0_group(ec)) == NULL)
                 return (0);
         if ((meth = EC_GROUP_method_of(grp)) == NULL)
                 return (0);
         prime_field = (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field);
 
-        /* Determine curve ID - NID_undef results in a curve ID of zero. */
+        /* Determine group ID. */
         nid = EC_GROUP_get_curve_name(grp);
-        /* If we have an ID set it, otherwise set arbitrary explicit curve. */
-        if ((*curve_id = tls1_ec_nid2curve_id(nid)) == 0)
-                *curve_id = prime_field ? 0xff01 : 0xff02;
+        /* If we have an ID set it, otherwise set arbitrary explicit group. */
+        if (!tls1_ec_nid2group_id(nid, group_id))
+                *group_id = prime_field ? 0xff01 : 0xff02;
 
         if (comp_id == NULL)
                 return (1);
@@ -646,7 +688,7 @@ tls1_set_ec_id(uint16_t *curve_id, uint8_t *comp_id, EC_KEY *ec)
 
 /* Check that an EC key is compatible with extensions. */
 static int
-tls1_check_ec_key(SSL *s, const uint16_t *curve_id, const uint8_t *comp_id)
+tls1_check_ec_key(SSL *s, const uint16_t *group_id, const uint8_t *comp_id)
 {
         size_t groupslen, formatslen, i;
         const uint16_t *groups;
@@ -667,12 +709,12 @@ tls1_check_ec_key(SSL *s, const uint16_t *curve_id, const uint8_t *comp_id)
         }
 
         /*
-         * Check curve list if present, otherwise everything is supported.
+         * Check group list if present, otherwise everything is supported.
          */
         tls1_get_group_list(s, 1, &groups, &groupslen);
-        if (curve_id != NULL && groups != NULL) {
+        if (group_id != NULL && groups != NULL) {
                 for (i = 0; i < groupslen; i++) {
-                        if (groups[i] == *curve_id)
+                        if (groups[i] == *group_id)
                                 break;
                 }
                 if (i == groupslen)
@@ -687,7 +729,7 @@ int
 tls1_check_ec_server_key(SSL *s)
 {
         SSL_CERT_PKEY *cpk = s->cert->pkeys + SSL_PKEY_ECC;
-        uint16_t curve_id;
+        uint16_t group_id;
         uint8_t comp_id;
         EC_KEY *eckey;
         EVP_PKEY *pkey;
@@ -698,10 +740,10 @@ tls1_check_ec_server_key(SSL *s)
                 return (0);
         if ((eckey = EVP_PKEY_get0_EC_KEY(pkey)) == NULL)
                 return (0);
-        if (!tls1_set_ec_id(&curve_id, &comp_id, eckey))
+        if (!tls1_set_ec_id(&group_id, &comp_id, eckey))
                 return (0);
 
-        return tls1_check_ec_key(s, &curve_id, &comp_id);
+        return tls1_check_ec_key(s, &group_id, &comp_id);
 }
 
 int
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index 11eb880a6e..fb2dd69eb2 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.94 2022/02/03 16:33:12 jsing Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.95 2022/07/02 16:00:12 tb Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -440,7 +440,7 @@ tls13_client_hello_retry_send(struct tls13_ctx *ctx, CBB *cbb)
          * supported groups and is not the same as the key share we previously
          * offered.
          */
-        if (!tls1_check_curve(ctx->ssl, ctx->hs->tls13.server_group))
+        if (!tls1_check_group(ctx->ssl, ctx->hs->tls13.server_group))
                 return 0; /* XXX alert */
         if (ctx->hs->tls13.server_group == tls_key_share_group(ctx->hs->key_share))
                 return 0; /* XXX alert */
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index 2c1c12ff25..c5c86ab95f 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.98 2022/06/04 01:14:43 tb Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.99 2022/07/02 16:00:12 tb Exp $ */
 /*
  * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -432,9 +432,9 @@ tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb)
 
         if (ctx->hs->key_share != NULL)
                 return 0;
-        if ((nid = tls1_get_shared_curve(ctx->ssl)) == NID_undef)
+        if (!tls1_get_supported_group(ctx->ssl, &nid))
                 return 0;
-        if ((ctx->hs->tls13.server_group = tls1_ec_nid2curve_id(nid)) == 0)
+        if (!tls1_ec_nid2group_id(nid, &ctx->hs->tls13.server_group))
                 return 0;
 
         if (!tls13_server_hello_build(ctx, cbb, 1))
diff --git a/src/lib/libssl/tls_key_share.c b/src/lib/libssl/tls_key_share.c
index c170f08649..048db25bd5 100644
--- a/src/lib/libssl/tls_key_share.c
+++ b/src/lib/libssl/tls_key_share.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_key_share.c,v 1.6 2022/07/02 09:33:20 tb Exp $ */
+/* $OpenBSD: tls_key_share.c,v 1.7 2022/07/02 16:00:12 tb Exp $ */
 /*
  * Copyright (c) 2020, 2021 Joel Sing <jsing@openbsd.org>
  *
@@ -61,7 +61,7 @@ tls_key_share_new(uint16_t group_id)
 {
         int nid;
 
-        if ((nid = tls1_ec_curve_id2nid(group_id)) == NID_undef)
+        if (!tls1_ec_group_id2nid(group_id, &nid))
                 return NULL;
 
         return tls_key_share_new_internal(nid, group_id);
@@ -73,7 +73,7 @@ tls_key_share_new_nid(int nid)
         uint16_t group_id = 0;
 
         if (nid != NID_dhKeyAgreement) {
-                if ((group_id = tls1_ec_nid2curve_id(nid)) == 0)
+                if (!tls1_ec_nid2group_id(nid, &group_id))
                         return NULL;
         }