From d514ed3f0a5ed2d924983d4533a179823bf09ca0 Mon Sep 17 00:00:00 2001
From: tb <>
Date: Wed, 29 Jun 2022 08:27:52 +0000
Subject: Check the security of DH key shares

ok beck, looks good to jsing
---
 src/lib/libssl/ssl_seclevel.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

(limited to 'src/lib/libssl/ssl_seclevel.c')

diff --git a/src/lib/libssl/ssl_seclevel.c b/src/lib/libssl/ssl_seclevel.c
index 6c788c205d..34cea637e0 100644
--- a/src/lib/libssl/ssl_seclevel.c
+++ b/src/lib/libssl/ssl_seclevel.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ssl_seclevel.c,v 1.5 2022/06/28 20:54:16 tb Exp $ */
+/*	$OpenBSD: ssl_seclevel.c,v 1.6 2022/06/29 08:27:51 tb Exp $ */
 /*
  * Copyright (c) 2020 Theo Buehler <tb@openbsd.org>
  *
@@ -17,6 +17,7 @@
 
 #include <stddef.h>
 
+#include <openssl/dh.h>
 #include <openssl/ossl_typ.h>
 #include <openssl/ssl.h>
 #include <openssl/tls1.h>
@@ -225,3 +226,13 @@ ssl_security(const SSL *ssl, int op, int bits, int nid, void *other)
 	return ssl->cert->security_cb(ssl, NULL, op, bits, nid, other,
 	    ssl->cert->security_ex_data);
 }
+
+int
+ssl_security_dh(const SSL *ssl, DH *dh)
+{
+#if defined(LIBRESSL_HAS_SECURITY_LEVEL)
+	return ssl_security(ssl, SSL_SECOP_TMP_DH, DH_security_bits(dh), 0, dh);
+#else
+	return 1;
+#endif
+}
-- 
cgit v1.2.3-55-g6feb