From 57e262bf7a12e3d254072277532d1eff1e23e39f Mon Sep 17 00:00:00 2001
From: tb <tb@openbsd.org>
Date: Wed, 29 Jun 2022 08:34:04 +0000
Subject: [PATCH] There's tentacles, tentacles everywhere

ok beck jsing
---
 lib/libssl/ssl_clnt.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/lib/libssl/ssl_clnt.c b/lib/libssl/ssl_clnt.c
index 52911752352..d49d8ef0560 100644
--- a/lib/libssl/ssl_clnt.c
+++ b/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.147 2022/06/29 08:27:51 tb Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.148 2022/06/29 08:34:04 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1889,6 +1889,12 @@ ssl3_send_client_kex_dhe(SSL *s, CBB *cbb)
 	if (!tls_key_share_derive(s->s3->hs.key_share, &key, &key_len))
 		goto err;
 
+	if (!tls_key_share_peer_security(s, s->s3->hs.key_share)) {
+		SSLerror(s, SSL_R_DH_KEY_TOO_SMALL);
+		ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
+		return 0;
+	}
+
 	if (!tls12_derive_master_secret(s, key, key_len))
 		goto err;
 
-- 
2.20.1