Check security level when convertin a cipher list to bytes

ok beck jsing

diff --git a/lib/libssl/ssl_ciphers.c b/lib/libssl/ssl_ciphers.c
index 3174ae9..99f23df 100644 (file)
--- a/lib/libssl/ssl_ciphers.c
+++ b/lib/libssl/ssl_ciphers.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: ssl_ciphers.c,v 1.13 2022/02/05 18:18:18 tb Exp $ */
+/*     $OpenBSD: ssl_ciphers.c,v 1.14 2022/06/29 08:38:01 tb Exp $ */
 /*
  * Copyright (c) 2015-2017 Doug Hogan <doug@openbsd.org>
  * Copyright (c) 2015-2018, 2020 Joel Sing <jsing@openbsd.org>
@@ -70,6 +70,9 @@ ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *ciphers, CBB *cbb)
                if (!ssl_cipher_allowed_in_tls_version_range(cipher, min_vers,
                    max_vers))
                        continue;
+               if (!ssl_security(s, SSL_SECOP_CIPHER_CHECK,
+                   cipher->strength_bits, 0, cipher))
+                       continue;
                if (!CBB_add_u16(cbb, ssl3_cipher_get_value(cipher)))
                        return 0;