+
+ /* Check group is one of our preferences */
+ tls1_get_supported_groups(s, &groups, &groups_len);
+ if (!tls1_in_list(group_id, groups, groups_len))
+ return 0;
+
+ if (!tls_curve_allowed(s, group_id, SSL_SECOP_CURVE_CHECK))
+ return 0;
+
+ /* For clients, nothing more to check */
+ if (!s->server)
+ return 1;
+
+ /* Check group is one of peers preferences */
+ tls1_get_peer_groups(s, &groups, &groups_len);
+
+ /*
+ * RFC 4492 does not require the supported elliptic curves extension
+ * so if it is not sent we can just choose any curve.
+ * It is invalid to send an empty list in the supported groups
+ * extension, so groups_len == 0 always means no extension.
+ */
+ if (groups_len == 0)
+ return 1;
+ return tls1_in_list(group_id, groups, groups_len);