From 1de11e7e8f780f3c0123b481a3ecf4d8ae835e20 Mon Sep 17 00:00:00 2001
From: tb <>
Date: Wed, 29 Jun 2022 08:39:08 +0000
Subject: Also check the security level in SSL_get1_supported_ciphers

ok beck jsing
---
 src/lib/libssl/ssl_lib.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 2bbc8e54d0..be01f771e0 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.291 2022/06/28 20:34:17 tb Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.292 2022/06/29 08:39:08 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1449,7 +1449,7 @@ STACK_OF(SSL_CIPHER) *
 SSL_get1_supported_ciphers(SSL *s)
 {
 	STACK_OF(SSL_CIPHER) *supported_ciphers = NULL, *ciphers;
-	const SSL_CIPHER *cipher;
+	SSL_CIPHER *cipher;
 	uint16_t min_vers, max_vers;
 	int i;
 
@@ -1468,6 +1468,9 @@ SSL_get1_supported_ciphers(SSL *s)
 		if (!ssl_cipher_allowed_in_tls_version_range(cipher, min_vers,
 		    max_vers))
 			continue;
+		if (!ssl_security(s, SSL_SECOP_CIPHER_SUPPORTED,
+		    cipher->strength_bits, 0, cipher))
+			continue;
 		if (!sk_SSL_CIPHER_push(supported_ciphers, cipher))
 			goto err;
 	}
-- 
cgit v1.2.3-55-g6feb