From ff55ae35ce91503ea79ecd5ec86595c03b2d138f Mon Sep 17 00:00:00 2001
From: tb <>
Date: Thu, 30 Jun 2022 16:05:07 +0000
Subject: Check security level for supported groups.

ok jsing
---
 src/lib/libssl/ssl_seclevel.c | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

(limited to 'src/lib/libssl/ssl_seclevel.c')

diff --git a/src/lib/libssl/ssl_seclevel.c b/src/lib/libssl/ssl_seclevel.c
index 954f27b336..35f8b8891b 100644
--- a/src/lib/libssl/ssl_seclevel.c
+++ b/src/lib/libssl/ssl_seclevel.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ssl_seclevel.c,v 1.13 2022/06/30 11:25:52 tb Exp $ */
+/*	$OpenBSD: ssl_seclevel.c,v 1.14 2022/06/30 16:05:07 tb Exp $ */
 /*
  * Copyright (c) 2020 Theo Buehler <tb@openbsd.org>
  *
@@ -27,6 +27,7 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
+#include "bytestring.h"
 #include "ssl_locl.h"
 
 static int
@@ -398,3 +399,25 @@ ssl_security_cert_chain(const SSL *ssl, STACK_OF(X509) *sk, X509 *x509,
 
 	return 1;
 }
+
+int
+ssl_security_supported_group(const SSL *ssl, uint16_t curve_id)
+{
+	CBB cbb;
+	int bits, nid;
+	uint8_t curve[2];
+
+	if ((bits = tls1_ec_curve_id2bits(curve_id)) == 0)
+		return 0;
+	if ((nid = tls1_ec_curve_id2nid(curve_id)) == NID_undef)
+		return 0;
+
+	if (!CBB_init_fixed(&cbb, curve, sizeof(curve)))
+		return 0;
+	if (!CBB_add_u16(&cbb, curve_id))
+		return 0;
+	if (!CBB_finish(&cbb, NULL, NULL))
+		return 0;
+
+	return ssl_security(ssl, SSL_SECOP_CURVE_SUPPORTED, bits, nid, curve);
+}
-- 
cgit v1.2.3-55-g6feb