3 files changed, 11 insertions, 11 deletions

diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index 9209597601..12ede899e8 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.156 2025/06/07 10:23:21 tb Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.157 2025/10/16 14:42:21 jsing Exp $ */
 /*
  * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -1554,6 +1554,7 @@ tlsext_keyshare_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
                 for (j = 0; j < server_groups_len; j++) {
                         if (server_groups[j] == client_groups[i]) {
                                 client_preferred_group = client_groups[i];
+                                s->s3->hs.tls13.server_group = client_preferred_group;
                                 preferred_group_found = 1;
                                 break;
                         }
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index 63b7d92093..f852e08a52 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.109 2024/07/22 14:47:15 jsing Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.110 2025/10/16 14:42:21 jsing Exp $ */
 /*
  * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -437,8 +437,6 @@ tls13_server_engage_record_protection(struct tls13_ctx *ctx)
 int
 tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb)
 {
-        int nid;
-
         ctx->hs->tls13.hrr = 1;
 
         if (!tls13_synthetic_handshake_message(ctx))
@@ -446,9 +444,7 @@ tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb)
 
         if (ctx->hs->key_share != NULL)
                 return 0;
-        if (!tls1_get_supported_group(ctx->ssl, &nid))
-                return 0;
-        if (!tls1_ec_nid2group_id(nid, &ctx->hs->tls13.server_group))
+        if (ctx->hs->tls13.server_group == 0)
                 return 0;
 
         if (!tls13_server_hello_build(ctx, cbb, 1))
@@ -511,8 +507,6 @@ tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb)
         if (!tls13_servername_process(ctx))
                 return 0;
 
-        ctx->hs->tls13.server_group = 0;
-
         if (!tls13_server_hello_build(ctx, cbb, 0))
                 return 0;
 
diff --git a/src/usr.bin/nc/netcat.c b/src/usr.bin/nc/netcat.c
index e3c9c939e2..766da6e667 100644
--- a/src/usr.bin/nc/netcat.c
+++ b/src/usr.bin/nc/netcat.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: netcat.c,v 1.234 2025/06/24 13:37:11 tb Exp $ */
+/* $OpenBSD: netcat.c,v 1.235 2025/10/11 15:46:06 deraadt Exp $ */
 /*
  * Copyright (c) 2001 Eric Jackson <ericj@monkey.org>
  * Copyright (c) 2015 Bob Beck.  All rights reserved.
@@ -1542,7 +1542,12 @@ connection_info(const char *host, const char *port, const char *proto,
 
         /* Look up service name unless -n. */
         if (!nflag) {
-                sv = getservbyport(ntohs(atoi(port)), proto);
+                const char *errstr;
+
+                int p = strtonum(port, 1, PORT_MAX, &errstr);
+                if (errstr)
+                        errx(1, "port number %s: %s", errstr, port);
+                sv = getservbyport(htons(p), proto);
                 if (sv != NULL)
                         service = sv->s_name;
         }