Also check the security level when choosing a shared cipher

ok beck jsing

diff --git a/lib/libssl/s3_lib.c b/lib/libssl/s3_lib.c
index b4ad11d..66d0eba 100644 (file)
--- a/lib/libssl/s3_lib.c
+++ b/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.229 2022/06/29 08:30:04 tb Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.230 2022/06/29 08:37:18 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -2527,6 +2527,10 @@ ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
                    !(c->algorithm_ssl & SSL_TLSV1_3))
                        continue;
 
+               if (!ssl_security(s, SSL_SECOP_CIPHER_SHARED, c->strength_bits,
+                   0, c))
+                       continue;
+
                ssl_set_cert_masks(cert, c);
                mask_k = cert->mask_k;
                mask_a = cert->mask_a;