From 6057ab79f98d627f9d2e0b9a391d601ade293bd0 Mon Sep 17 00:00:00 2001
From: Christopher Patton <cpatton@cloudflare.com>
Date: Mon, 18 Sep 2023 14:23:30 -0700
Subject: [PATCH] Enable P-521 with "kx-safe-default"

While not commonly used, P-521 is a perfectly safe choice of key
exchange algorithm.
---
 boring/src/ssl/mod.rs | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/boring/src/ssl/mod.rs b/boring/src/ssl/mod.rs
index bd3dde77..6fe8615b 100644
--- a/boring/src/ssl/mod.rs
+++ b/boring/src/ssl/mod.rs
@@ -2423,21 +2423,21 @@ impl SslRef {
     fn client_set_default_curves_list(&mut self) -> Result<(), ErrorStack> {
         let curves = if cfg!(feature = "kx-client-pq-preferred") {
             if cfg!(feature = "kx-client-nist-required") {
-                "P256Kyber768Draft00:P-256:P-384"
+                "P256Kyber768Draft00:P-256:P-384:P-521"
             } else {
-                "X25519Kyber768Draft00:X25519:P256Kyber768Draft00:P-256:P-384"
+                "X25519Kyber768Draft00:X25519:P256Kyber768Draft00:P-256:P-384:P-521"
             }
         } else if cfg!(feature = "kx-client-pq-supported") {
             if cfg!(feature = "kx-client-nist-required") {
-                "P-256:P-384:P256Kyber768Draft00"
+                "P-256:P-384:P-521:P256Kyber768Draft00"
             } else {
-                "X25519:P-256:P-384:X25519Kyber768Draft00:P256Kyber768Draft00"
+                "X25519:P-256:P-384:P-521:X25519Kyber768Draft00:P256Kyber768Draft00"
             }
         } else {
             if cfg!(feature = "kx-client-nist-required") {
-                "P-256:P-384"
+                "P-256:P-384:P-521"
             } else {
-                "X25519:P-256:P-384"
+                "X25519:P-256:P-384:P-521"
             }
         };