sfackler · romen · Mar 7, 2024 · Mar 8, 2024 · Mar 8, 2024 · Mar 8, 2024
diff --git a/openssl-sys/src/handwritten/ssl.rs b/openssl-sys/src/handwritten/ssl.rs
@@ -951,3 +951,8 @@ extern "C" {
     #[cfg(any(ossl110, libressl360))]
     pub fn SSL_get_security_level(s: *const SSL) -> c_int;
 }
+
+extern "C" {
+    #[cfg(ossl300)]
+    pub fn SSL_group_to_name(ssl: *mut SSL, id: c_int) -> *const c_char;
+}
diff --git a/openssl-sys/src/ssl.rs b/openssl-sys/src/ssl.rs
@@ -363,6 +363,8 @@ pub const SSL_CTRL_GET_MIN_PROTO_VERSION: c_int = 130;
 pub const SSL_CTRL_GET_MAX_PROTO_VERSION: c_int = 131;
 #[cfg(ossl300)]
 pub const SSL_CTRL_GET_TMP_KEY: c_int = 133;
+#[cfg(ossl300)]
+pub const SSL_CTRL_GET_NEGOTIATED_GROUP: c_int = 134;
 
 pub unsafe fn SSL_CTX_set_tmp_dh(ctx: *mut SSL_CTX, dh: *mut DH) -> c_long {
     SSL_CTX_ctrl(ctx, SSL_CTRL_SET_TMP_DH, 0, dh as *mut c_void)
@@ -519,6 +521,10 @@ cfg_if! {
         pub unsafe fn SSL_get_tmp_key(ssl: *mut SSL, key: *mut *mut EVP_PKEY) -> c_long {
             SSL_ctrl(ssl, SSL_CTRL_GET_TMP_KEY, 0, key as *mut c_void)
         }
+
+        pub unsafe fn SSL_get_negotiated_group(ssl: *mut SSL) -> c_int {
+            SSL_ctrl(ssl, SSL_CTRL_GET_NEGOTIATED_GROUP, 0, ptr::null_mut()) as c_int
+        }
     }
 }
 

diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs
@@ -59,6 +59,8 @@
 //! ```
 #[cfg(ossl300)]
 use crate::cvt_long;
+#[cfg(ossl300)]
+use crate::cvt_p_const;
 use crate::dh::{Dh, DhRef};
 #[cfg(all(ossl101, not(ossl110)))]
 use crate::ec::EcKey;
@@ -3484,6 +3486,48 @@ impl SslRef {
             }
         }
     }
+
+    /// Returns the NID of the negotiated group used for the handshake key
+    /// exchange process.
+    /// For TLSv1.3 connections this typically reflects the state of the
+    /// current connection, though in the case of PSK-only resumption, the
+    /// returned value will be from a previous connection.
+    /// For earlier TLS versions, when a session has been resumed, it always
+    /// reflects the group used for key exchange during the initial handshake
+    /// (otherwise it is from the current, non-resumption, connection).
+    /// This can be called by either client or server.
+    ///
+    /// If the NID for the shared group is unknown then the value is set to the
+    /// bitwise OR of TLSEXT_nid_unknown (0x1000000) and the id of the group.
+    #[corresponds(SSL_get_negotiated_group)]
+    #[cfg(ossl300)]
+    pub fn negotiated_group(&self) -> Result<c_int, ErrorStack> {
+        unsafe { cvt(ffi::SSL_get_negotiated_group(self.as_ptr())) }
+    }
+
+    /// Return the TLS group name associated with a given TLS group ID, as
+    /// registered via built-in or external providers and as returned by a call
+    /// to SSL_get1_groups() or SSL_get_shared_group().
+    ///
+    /// If non-NULL, SSL_group_to_name() returns the TLS group name
+    /// corresponding to the given id as a NUL-terminated string.
+    /// If SSL_group_to_name() returns NULL, an error occurred; possibly no
+    /// corresponding tlsname was registered during provider initialisation.
+    ///
+    /// Note that the return value is valid only during the lifetime of the
+    /// SSL object ssl.
+    #[corresponds(SSL_group_to_name)]
+    #[cfg(ossl300)]
+    pub fn group_to_name(&self, id: c_int) -> Result<&str, ErrorStack> {
+        unsafe {
+            match cvt_p_const(ffi::SSL_group_to_name(self.as_ptr(), id)) {
+                Ok(constp) => Ok(CStr::from_ptr(constp)
+                    .to_str()
+                    .expect("Invalid UTF8 in input")),
+                Err(e) => Err(e),
+            }
+        }
+    }
 }
 
 /// An SSL stream midway through the handshake process.