From a49f2cdc5cecf215b48eb6ca877cac1c095006d7 Mon Sep 17 00:00:00 2001
From: tb <tb@openbsd.org>
Date: Mon, 8 Jun 2026 12:05:25 +0000
Subject: [PATCH] tlsext: add XXX to consider refusing anything but
 uncompressed point format

ok jsing kenjiro
---
 lib/libssl/ssl_tlsext.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/lib/libssl/ssl_tlsext.c b/lib/libssl/ssl_tlsext.c
index ccdb5d1dfa1..22c5e7d1b1a 100644
--- a/lib/libssl/ssl_tlsext.c
+++ b/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.161 2026/06/06 08:45:41 tb Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.162 2026/06/08 12:05:25 tb Exp $ */
 /*
  * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -386,6 +386,8 @@ tlsext_ecpf_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
 	if (CBS_len(&ecpf) == 0)
 		return 0;
 
+	/* XXX - tighten this to reject anything but uncompressed format? */
+
 	/* Must contain uncompressed (0) - RFC 8422, section 5.1.2. */
 	if (!CBS_contains_zero_byte(&ecpf)) {
 		SSLerror(s, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);