There's tentacles, tentacles everywhere

ok beck jsing

diff --git a/lib/libssl/ssl_clnt.c b/lib/libssl/ssl_clnt.c
index 5291175..d49d8ef 100644 (file)
--- a/lib/libssl/ssl_clnt.c
+++ b/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.147 2022/06/29 08:27:51 tb Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.148 2022/06/29 08:34:04 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1889,6 +1889,12 @@ ssl3_send_client_kex_dhe(SSL *s, CBB *cbb)
        if (!tls_key_share_derive(s->s3->hs.key_share, &key, &key_len))
                goto err;
 
+       if (!tls_key_share_peer_security(s, s->s3->hs.key_share)) {
+               SSLerror(s, SSL_R_DH_KEY_TOO_SMALL);
+               ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
+               return 0;
+       }
+
        if (!tls12_derive_master_secret(s, key, key_len))
                goto err;