1 files changed, 125 insertions, 84 deletions
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index b200f78098..912bea592a 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_lib.c,v 1.204 2025/01/18 14:17:05 tb Exp $ */
+/* $OpenBSD: t1_lib.c,v 1.207 2025/12/04 21:16:17 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -151,6 +151,7 @@ tls1_clear(SSL *s)
 }
 struct supported_group {
+        uint16_t group_id;
        int nid;
        int bits;
 };
@@ -160,122 +161,156 @@ struct supported_group {
 * https://www.iana.org/assignments/tls-parameters/#tls-parameters-8
 */
 static const struct supported_group nid_list[] = {
-        [1] = {
+        {
+                .group_id = 1,
                .nid = NID_sect163k1,
                .bits = 80,
        },
-        [2] = {
+        {
+                .group_id = 2,
                .nid = NID_sect163r1,
                .bits = 80,
        },
-        [3] = {
+        {
+                .group_id = 3,
                .nid = NID_sect163r2,
                .bits = 80,
        },
-        [4] = {
+        {
+                .group_id = 4,
                .nid = NID_sect193r1,
                .bits = 80,
        },
-        [5] = {
+        {
+                .group_id = 5,
                .nid = NID_sect193r2,
                .bits = 80,
        },
-        [6] = {
+        {
+                .group_id = 6,
                .nid = NID_sect233k1,
                .bits = 112,
        },
-        [7] = {
+        {
+                .group_id = 7,
                .nid = NID_sect233r1,
                .bits = 112,
        },
-        [8] = {
+        {
+                .group_id = 8,
                .nid = NID_sect239k1,
                .bits = 112,
        },
-        [9] = {
+        {
+                .group_id = 9,
                .nid = NID_sect283k1,
                .bits = 128,
        },
-        [10] = {
+        {
+                .group_id = 10,
                .nid = NID_sect283r1,
                .bits = 128,
        },
-        [11] = {
+        {
+                .group_id = 11,
                .nid = NID_sect409k1,
                .bits = 192,
        },
-        [12] = {
+        {
+                .group_id = 12,
                .nid = NID_sect409r1,
                .bits = 192,
        },
-        [13] = {
+        {
+                .group_id = 13,
                .nid = NID_sect571k1,
                .bits = 256,
        },
-        [14] = {
+        {
+                .group_id = 14,
                .nid = NID_sect571r1,
                .bits = 256,
        },
-        [15] = {
+        {
+                .group_id = 15,
                .nid = NID_secp160k1,
                .bits = 80,
        },
-        [16] = {
+        {
+                .group_id = 16,
                .nid = NID_secp160r1,
                .bits = 80,
        },
-        [17] = {
+        {
+                .group_id = 17,
                .nid = NID_secp160r2,
                .bits = 80,
        },
-        [18] = {
+        {
+                .group_id = 18,
                .nid = NID_secp192k1,
                .bits = 80,
        },
-        [19] = {
+        {
+                .group_id = 19,
                .nid = NID_X9_62_prime192v1,    /* aka secp192r1 */
                .bits = 80,
        },
-        [20] = {
+        {
+                .group_id = 20,
                .nid = NID_secp224k1,
                .bits = 112,
        },
-        [21] = {
+        {
+                .group_id = 21,
                .nid = NID_secp224r1,
                .bits = 112,
        },
-        [22] = {
+        {
+                .group_id = 22,
                .nid = NID_secp256k1,
                .bits = 128,
        },
-        [23] = {
+        {
+                .group_id = 23,
                .nid = NID_X9_62_prime256v1,    /* aka secp256r1 */
                .bits = 128,
        },
-        [24] = {
+        {
+                .group_id = 24,
                .nid = NID_secp384r1,
                .bits = 192,
        },
-        [25] = {
+        {
+                .group_id = 25,
                .nid = NID_secp521r1,
                .bits = 256,
        },
-        [26] = {
+        {
+                .group_id = 26,
                .nid = NID_brainpoolP256r1,
                .bits = 128,
        },
-        [27] = {
+        {
+                .group_id = 27,
                .nid = NID_brainpoolP384r1,
                .bits = 192,
        },
-        [28] = {
+        {
+                .group_id = 28,
                .nid = NID_brainpoolP512r1,
                .bits = 256,
        },
-        [29] = {
+        {
+                .group_id = 29,
                .nid = NID_X25519,
                .bits = 128,
        },
+        {
+                .group_id = 4588,
+                .nid = NID_X25519MLKEM768,
+                .bits = 128,
+        },
 };
 #define NID_LIST_LEN (sizeof(nid_list) / sizeof(nid_list[0]))
@@ -292,41 +327,21 @@ static const uint8_t ecformats_default[] = {
        TLSEXT_ECPOINTFORMAT_uncompressed,
 };
-#if 0
+static const uint16_t ecgroups_tls12_client_default[] = {
-static const uint16_t ecgroups_list[] = {
        29,                     /* X25519 (29) */
-        14,                     /* sect571r1 (14) */
+        23,                     /* secp256r1 (23) */
-        13,                     /* sect571k1 (13) */
-        25,                     /* secp521r1 (25) */
-        28,                     /* brainpoolP512r1 (28) */
-        11,                     /* sect409k1 (11) */
-        12,                     /* sect409r1 (12) */
-        27,                     /* brainpoolP384r1 (27) */
        24,                     /* secp384r1 (24) */
-        9,                      /* sect283k1 (9) */
+        25,                     /* secp521r1 (25) */
-        10,                     /* sect283r1 (10) */
+};
-        26,                     /* brainpoolP256r1 (26) */
-        22,                     /* secp256k1 (22) */
+static const uint16_t ecgroups_tls12_server_default[] = {
+        29,                     /* X25519 (29) */
        23,                     /* secp256r1 (23) */
-        8,                      /* sect239k1 (8) */
+        24,                     /* secp384r1 (24) */
-        6,                      /* sect233k1 (6) */
-        7,                      /* sect233r1 (7) */
-        20,                     /* secp224k1 (20) */
-        21,                     /* secp224r1 (21) */
-        4,                      /* sect193r1 (4) */
-        5,                      /* sect193r2 (5) */
-        18,                     /* secp192k1 (18) */
-        19,                     /* secp192r1 (19) */
-        1,                      /* sect163k1 (1) */
-        2,                      /* sect163r1 (2) */
-        3,                      /* sect163r2 (3) */
-        15,                     /* secp160k1 (15) */
-        16,                     /* secp160r1 (16) */
-        17,                     /* secp160r2 (17) */
 };
-#endif
 static const uint16_t ecgroups_client_default[] = {
+        4588,                   /* X25519MLKEM768 (4588) */
        29,                     /* X25519 (29) */
        23,                     /* secp256r1 (23) */
        24,                     /* secp384r1 (24) */
@@ -334,23 +349,47 @@ static const uint16_t ecgroups_client_default[] = {
 };
 static const uint16_t ecgroups_server_default[] = {
+        4588,                   /* X25519MLKEM768 (4588) */
        29,                     /* X25519 (29) */
        23,                     /* secp256r1 (23) */
        24,                     /* secp384r1 (24) */
 };
+static const struct supported_group *
+tls1_supported_group_by_id(uint16_t group_id)
+{
+        int i;
+        for (i = 0; i < NID_LIST_LEN; i++) {
+                if (group_id == nid_list[i].group_id)
+                        return &nid_list[i];
+        }
+        return NULL;
+}
+static const struct supported_group *
+tls1_supported_group_by_nid(int nid)
+{
+        int i;
+        for (i = 0; i < NID_LIST_LEN; i++) {
+                if (nid == nid_list[i].nid)
+                        return &nid_list[i];
+        }
+        return NULL;
+}
 int
 tls1_ec_group_id2nid(uint16_t group_id, int *out_nid)
 {
-        int nid;
+        const struct supported_group *sg;
-        if (group_id >= NID_LIST_LEN)
-                return 0;
-        if ((nid = nid_list[group_id].nid) == 0)
+        if ((sg = tls1_supported_group_by_id(group_id)) == NULL)
                return 0;
-        *out_nid = nid;
+        *out_nid = sg->nid;
        return 1;
 }
@@ -358,15 +397,12 @@ tls1_ec_group_id2nid(uint16_t group_id, int *out_nid)
 int
 tls1_ec_group_id2bits(uint16_t group_id, int *out_bits)
 {
-        int bits;
+        const struct supported_group *sg;
-        if (group_id >= NID_LIST_LEN)
+        if ((sg = tls1_supported_group_by_id(group_id)) == NULL)
                return 0;
-        if ((bits = nid_list[group_id].bits) == 0)
+        *out_bits = sg->bits;
-                return 0;
-        *out_bits = bits;
        return 1;
 }
@@ -374,19 +410,14 @@ tls1_ec_group_id2bits(uint16_t group_id, int *out_bits)
 int
 tls1_ec_nid2group_id(int nid, uint16_t *out_group_id)
 {
-        uint16_t group_id;
+        const struct supported_group *sg;
-        if (nid == 0)
+        if ((sg = tls1_supported_group_by_nid(nid)) == NULL)
                return 0;
-        for (group_id = 0; group_id < NID_LIST_LEN; group_id++) {
+        *out_group_id = sg->group_id;
-                if (nid_list[group_id].nid == nid) {
-                        *out_group_id = group_id;
-                        return 1;
-                }
-        }
-        return 0;
+        return 1;
 }
 /*
@@ -433,11 +464,21 @@ tls1_get_group_list(const SSL *s, int client_groups, const uint16_t **pgroups,
                return;
        if (!s->server) {
-                *pgroups = ecgroups_client_default;
+                if (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION) {
-                *pgroupslen = sizeof(ecgroups_client_default) / 2;
+                        *pgroups = ecgroups_client_default;
+                        *pgroupslen = sizeof(ecgroups_client_default) / 2;
+                } else {
+                        *pgroups = ecgroups_tls12_client_default;
+                        *pgroupslen = sizeof(ecgroups_tls12_client_default) / 2;
+                }
        } else {
-                *pgroups = ecgroups_server_default;
+                if (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION) {
-                *pgroupslen = sizeof(ecgroups_server_default) / 2;
+                        *pgroups = ecgroups_server_default;
+                        *pgroupslen = sizeof(ecgroups_server_default) / 2;
+                } else {
+                        *pgroups = ecgroups_tls12_server_default;
+                        *pgroupslen = sizeof(ecgroups_tls12_server_default) / 2;
+                }
        }
 }

diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c index b200f78098..912bea592a 100644 --- a/src/lib/libssl/t1_lib.c +++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: t1_lib.c,v 1.204 2025/01/18 14:17:05 tb Exp $ */	1	/* $OpenBSD: t1_lib.c,v 1.207 2025/12/04 21:16:17 beck Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -151,6 +151,7 @@ tls1_clear(SSL *s)
151	}	151	}
152		152
153	struct supported_group {	153	struct supported_group {
		154	uint16_t group_id;
154	int nid;	155	int nid;
155	int bits;	156	int bits;
156	};	157	};
@@ -160,122 +161,156 @@ struct supported_group {
160	* https://www.iana.org/assignments/tls-parameters/#tls-parameters-8	161	* https://www.iana.org/assignments/tls-parameters/#tls-parameters-8
161	*/	162	*/
162	static const struct supported_group nid_list[] = {	163	static const struct supported_group nid_list[] = {
163	[1] = {	164	{
		165	.group_id = 1,
164	.nid = NID_sect163k1,	166	.nid = NID_sect163k1,
165	.bits = 80,	167	.bits = 80,
166	},	168	},
167	[2] = {	169	{
		170	.group_id = 2,
168	.nid = NID_sect163r1,	171	.nid = NID_sect163r1,
169	.bits = 80,	172	.bits = 80,
170	},	173	},
171	[3] = {	174	{
		175	.group_id = 3,
172	.nid = NID_sect163r2,	176	.nid = NID_sect163r2,
173	.bits = 80,	177	.bits = 80,
174	},	178	},
175	[4] = {	179	{
		180	.group_id = 4,
176	.nid = NID_sect193r1,	181	.nid = NID_sect193r1,
177	.bits = 80,	182	.bits = 80,
178	},	183	},
179	[5] = {	184	{
		185	.group_id = 5,
180	.nid = NID_sect193r2,	186	.nid = NID_sect193r2,
181	.bits = 80,	187	.bits = 80,
182	},	188	},
183	[6] = {	189	{
		190	.group_id = 6,
184	.nid = NID_sect233k1,	191	.nid = NID_sect233k1,
185	.bits = 112,	192	.bits = 112,
186	},	193	},
187	[7] = {	194	{
		195	.group_id = 7,
188	.nid = NID_sect233r1,	196	.nid = NID_sect233r1,
189	.bits = 112,	197	.bits = 112,
190	},	198	},
191	[8] = {	199	{
		200	.group_id = 8,
192	.nid = NID_sect239k1,	201	.nid = NID_sect239k1,
193	.bits = 112,	202	.bits = 112,
194	},	203	},
195	[9] = {	204	{
		205	.group_id = 9,
196	.nid = NID_sect283k1,	206	.nid = NID_sect283k1,
197	.bits = 128,	207	.bits = 128,
198	},	208	},
199	[10] = {	209	{
		210	.group_id = 10,
200	.nid = NID_sect283r1,	211	.nid = NID_sect283r1,
201	.bits = 128,	212	.bits = 128,
202	},	213	},
203	[11] = {	214	{
		215	.group_id = 11,
204	.nid = NID_sect409k1,	216	.nid = NID_sect409k1,
205	.bits = 192,	217	.bits = 192,
206	},	218	},
207	[12] = {	219	{
		220	.group_id = 12,
208	.nid = NID_sect409r1,	221	.nid = NID_sect409r1,
209	.bits = 192,	222	.bits = 192,
210	},	223	},
211	[13] = {	224	{
		225	.group_id = 13,
212	.nid = NID_sect571k1,	226	.nid = NID_sect571k1,
213	.bits = 256,	227	.bits = 256,
214	},	228	},
215	[14] = {	229	{
		230	.group_id = 14,
216	.nid = NID_sect571r1,	231	.nid = NID_sect571r1,
217	.bits = 256,	232	.bits = 256,
218	},	233	},
219	[15] = {	234	{
		235	.group_id = 15,
220	.nid = NID_secp160k1,	236	.nid = NID_secp160k1,
221	.bits = 80,	237	.bits = 80,
222	},	238	},
223	[16] = {	239	{
		240	.group_id = 16,
224	.nid = NID_secp160r1,	241	.nid = NID_secp160r1,
225	.bits = 80,	242	.bits = 80,
226	},	243	},
227	[17] = {	244	{
		245	.group_id = 17,
228	.nid = NID_secp160r2,	246	.nid = NID_secp160r2,
229	.bits = 80,	247	.bits = 80,
230	},	248	},
231	[18] = {	249	{
		250	.group_id = 18,
232	.nid = NID_secp192k1,	251	.nid = NID_secp192k1,
233	.bits = 80,	252	.bits = 80,
234	},	253	},
235	[19] = {	254	{
		255	.group_id = 19,
236	.nid = NID_X9_62_prime192v1, /* aka secp192r1 */	256	.nid = NID_X9_62_prime192v1, /* aka secp192r1 */
237	.bits = 80,	257	.bits = 80,
238	},	258	},
239	[20] = {	259	{
		260	.group_id = 20,
240	.nid = NID_secp224k1,	261	.nid = NID_secp224k1,
241	.bits = 112,	262	.bits = 112,
242	},	263	},
243	[21] = {	264	{
		265	.group_id = 21,
244	.nid = NID_secp224r1,	266	.nid = NID_secp224r1,
245	.bits = 112,	267	.bits = 112,
246	},	268	},
247	[22] = {	269	{
		270	.group_id = 22,
248	.nid = NID_secp256k1,	271	.nid = NID_secp256k1,
249	.bits = 128,	272	.bits = 128,
250	},	273	},
251	[23] = {	274	{
		275	.group_id = 23,
252	.nid = NID_X9_62_prime256v1, /* aka secp256r1 */	276	.nid = NID_X9_62_prime256v1, /* aka secp256r1 */
253	.bits = 128,	277	.bits = 128,
254	},	278	},
255	[24] = {	279	{
		280	.group_id = 24,
256	.nid = NID_secp384r1,	281	.nid = NID_secp384r1,
257	.bits = 192,	282	.bits = 192,
258	},	283	},
259	[25] = {	284	{
		285	.group_id = 25,
260	.nid = NID_secp521r1,	286	.nid = NID_secp521r1,
261	.bits = 256,	287	.bits = 256,
262	},	288	},
263	[26] = {	289	{
		290	.group_id = 26,
264	.nid = NID_brainpoolP256r1,	291	.nid = NID_brainpoolP256r1,
265	.bits = 128,	292	.bits = 128,
266	},	293	},
267	[27] = {	294	{
		295	.group_id = 27,
268	.nid = NID_brainpoolP384r1,	296	.nid = NID_brainpoolP384r1,
269	.bits = 192,	297	.bits = 192,
270	},	298	},
271	[28] = {	299	{
		300	.group_id = 28,
272	.nid = NID_brainpoolP512r1,	301	.nid = NID_brainpoolP512r1,
273	.bits = 256,	302	.bits = 256,
274	},	303	},
275	[29] = {	304	{
		305	.group_id = 29,
276	.nid = NID_X25519,	306	.nid = NID_X25519,
277	.bits = 128,	307	.bits = 128,
278	},	308	},
		309	{
		310	.group_id = 4588,
		311	.nid = NID_X25519MLKEM768,
		312	.bits = 128,
		313	},
279	};	314	};
280		315
281	#define NID_LIST_LEN (sizeof(nid_list) / sizeof(nid_list[0]))	316	#define NID_LIST_LEN (sizeof(nid_list) / sizeof(nid_list[0]))
@@ -292,41 +327,21 @@ static const uint8_t ecformats_default[] = {
292	TLSEXT_ECPOINTFORMAT_uncompressed,	327	TLSEXT_ECPOINTFORMAT_uncompressed,
293	};	328	};
294		329
295	#if 0	330	static const uint16_t ecgroups_tls12_client_default[] = {
296	static const uint16_t ecgroups_list[] = {
297	29, /* X25519 (29) */	331	29, /* X25519 (29) */
298	14, /* sect571r1 (14) */	332	23, /* secp256r1 (23) */
299	13, /* sect571k1 (13) */
300	25, /* secp521r1 (25) */
301	28, /* brainpoolP512r1 (28) */
302	11, /* sect409k1 (11) */
303	12, /* sect409r1 (12) */
304	27, /* brainpoolP384r1 (27) */
305	24, /* secp384r1 (24) */	333	24, /* secp384r1 (24) */
306	9, /* sect283k1 (9) */	334	25, /* secp521r1 (25) */
307	10, /* sect283r1 (10) */	335	};
308	26, /* brainpoolP256r1 (26) */	336
309	22, /* secp256k1 (22) */	337	static const uint16_t ecgroups_tls12_server_default[] = {
		338	29, /* X25519 (29) */
310	23, /* secp256r1 (23) */	339	23, /* secp256r1 (23) */
311	8, /* sect239k1 (8) */	340	24, /* secp384r1 (24) */
312	6, /* sect233k1 (6) */
313	7, /* sect233r1 (7) */
314	20, /* secp224k1 (20) */
315	21, /* secp224r1 (21) */
316	4, /* sect193r1 (4) */
317	5, /* sect193r2 (5) */
318	18, /* secp192k1 (18) */
319	19, /* secp192r1 (19) */
320	1, /* sect163k1 (1) */
321	2, /* sect163r1 (2) */
322	3, /* sect163r2 (3) */
323	15, /* secp160k1 (15) */
324	16, /* secp160r1 (16) */
325	17, /* secp160r2 (17) */
326	};	341	};
327	#endif
328		342
329	static const uint16_t ecgroups_client_default[] = {	343	static const uint16_t ecgroups_client_default[] = {
		344	4588, /* X25519MLKEM768 (4588) */
330	29, /* X25519 (29) */	345	29, /* X25519 (29) */
331	23, /* secp256r1 (23) */	346	23, /* secp256r1 (23) */
332	24, /* secp384r1 (24) */	347	24, /* secp384r1 (24) */
@@ -334,23 +349,47 @@ static const uint16_t ecgroups_client_default[] = {
334	};	349	};
335		350
336	static const uint16_t ecgroups_server_default[] = {	351	static const uint16_t ecgroups_server_default[] = {
		352	4588, /* X25519MLKEM768 (4588) */
337	29, /* X25519 (29) */	353	29, /* X25519 (29) */
338	23, /* secp256r1 (23) */	354	23, /* secp256r1 (23) */
339	24, /* secp384r1 (24) */	355	24, /* secp384r1 (24) */
340	};	356	};
341		357
		358	static const struct supported_group *
		359	tls1_supported_group_by_id(uint16_t group_id)
		360	{
		361	int i;
		362
		363	for (i = 0; i < NID_LIST_LEN; i++) {
		364	if (group_id == nid_list[i].group_id)
		365	return &nid_list[i];
		366	}
		367
		368	return NULL;
		369	}
		370
		371	static const struct supported_group *
		372	tls1_supported_group_by_nid(int nid)
		373	{
		374	int i;
		375
		376	for (i = 0; i < NID_LIST_LEN; i++) {
		377	if (nid == nid_list[i].nid)
		378	return &nid_list[i];
		379	}
		380
		381	return NULL;
		382	}
		383
342	int	384	int
343	tls1_ec_group_id2nid(uint16_t group_id, int *out_nid)	385	tls1_ec_group_id2nid(uint16_t group_id, int *out_nid)
344	{	386	{
345	int nid;	387	const struct supported_group *sg;
346
347	if (group_id >= NID_LIST_LEN)
348	return 0;
349		388
350	if ((nid = nid_list[group_id].nid) == 0)	389	if ((sg = tls1_supported_group_by_id(group_id)) == NULL)
351	return 0;	390	return 0;
352		391
353	*out_nid = nid;	392	*out_nid = sg->nid;
354		393
355	return 1;	394	return 1;
356	}	395	}
@@ -358,15 +397,12 @@ tls1_ec_group_id2nid(uint16_t group_id, int *out_nid)
358	int	397	int
359	tls1_ec_group_id2bits(uint16_t group_id, int *out_bits)	398	tls1_ec_group_id2bits(uint16_t group_id, int *out_bits)
360	{	399	{
361	int bits;	400	const struct supported_group *sg;
362		401
363	if (group_id >= NID_LIST_LEN)	402	if ((sg = tls1_supported_group_by_id(group_id)) == NULL)
364	return 0;	403	return 0;
365		404
366	if ((bits = nid_list[group_id].bits) == 0)	405	*out_bits = sg->bits;
367	return 0;
368
369	*out_bits = bits;
370		406
371	return 1;	407	return 1;
372	}	408	}
@@ -374,19 +410,14 @@ tls1_ec_group_id2bits(uint16_t group_id, int *out_bits)
374	int	410	int
375	tls1_ec_nid2group_id(int nid, uint16_t *out_group_id)	411	tls1_ec_nid2group_id(int nid, uint16_t *out_group_id)
376	{	412	{
377	uint16_t group_id;	413	const struct supported_group *sg;
378		414
379	if (nid == 0)	415	if ((sg = tls1_supported_group_by_nid(nid)) == NULL)
380	return 0;	416	return 0;
381		417
382	for (group_id = 0; group_id < NID_LIST_LEN; group_id++) {	418	*out_group_id = sg->group_id;
383	if (nid_list[group_id].nid == nid) {
384	*out_group_id = group_id;
385	return 1;
386	}
387	}
388		419
389	return 0;	420	return 1;
390	}	421	}
391		422
392	/*	423	/*
@@ -433,11 +464,21 @@ tls1_get_group_list(const SSL s, int client_groups, const uint16_t *pgroups,
433	return;	464	return;
434		465
435	if (!s->server) {	466	if (!s->server) {
436	*pgroups = ecgroups_client_default;	467	if (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION) {
437	*pgroupslen = sizeof(ecgroups_client_default) / 2;	468	*pgroups = ecgroups_client_default;
		469	*pgroupslen = sizeof(ecgroups_client_default) / 2;
		470	} else {
		471	*pgroups = ecgroups_tls12_client_default;
		472	*pgroupslen = sizeof(ecgroups_tls12_client_default) / 2;
		473	}
438	} else {	474	} else {
439	*pgroups = ecgroups_server_default;	475	if (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION) {
440	*pgroupslen = sizeof(ecgroups_server_default) / 2;	476	*pgroups = ecgroups_server_default;
		477	*pgroupslen = sizeof(ecgroups_server_default) / 2;
		478	} else {
		479	*pgroups = ecgroups_tls12_server_default;
		480	*pgroupslen = sizeof(ecgroups_tls12_server_default) / 2;
		481	}
441	}	482	}
442	}	483	}
443		484