From 353d4d96371450be417c61c52a3211a8a3c45ed6 Mon Sep 17 00:00:00 2001 From: tb Date: Wed, 29 Jun 2022 08:39:08 +0000 Subject: [PATCH] Also check the security level in SSL_get1_supported_ciphers ok beck jsing --- lib/libssl/ssl_lib.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c index 2bbc8e54d0c..be01f771e08 100644 --- a/lib/libssl/ssl_lib.c +++ b/lib/libssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.291 2022/06/28 20:34:17 tb Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.292 2022/06/29 08:39:08 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1449,7 +1449,7 @@ STACK_OF(SSL_CIPHER) * SSL_get1_supported_ciphers(SSL *s) { STACK_OF(SSL_CIPHER) *supported_ciphers = NULL, *ciphers; - const SSL_CIPHER *cipher; + SSL_CIPHER *cipher; uint16_t min_vers, max_vers; int i; @@ -1468,6 +1468,9 @@ SSL_get1_supported_ciphers(SSL *s) if (!ssl_cipher_allowed_in_tls_version_range(cipher, min_vers, max_vers)) continue; + if (!ssl_security(s, SSL_SECOP_CIPHER_SUPPORTED, + cipher->strength_bits, 0, cipher)) + continue; if (!sk_SSL_CIPHER_push(supported_ciphers, cipher)) goto err; } -- 2.20.1