1 files changed, 4 insertions, 4 deletions
diff --git a/src/lib/libssl/ssl_sigalgs.c b/src/lib/libssl/ssl_sigalgs.c
index 1b5aad72f7..68bb6a3889 100644
--- a/src/lib/libssl/ssl_sigalgs.c
+++ b/src/lib/libssl/ssl_sigalgs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sigalgs.c,v 1.22 2020/10/11 01:13:04 guenther Exp $ */
+/* $OpenBSD: ssl_sigalgs.c,v 1.23 2021/03/10 18:27:02 jsing Exp $ */
 /*
 * Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org>
 *
@@ -265,7 +265,7 @@ ssl_sigalg_select(SSL *s, EVP_PKEY *pkey)
        int check_curve = 0;
        CBS cbs;
-        if (TLS1_get_version(s) >= TLS1_3_VERSION) {
+        if (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION) {
                tls_sigalgs = tls13_sigalgs;
                tls_sigalgs_len = tls13_sigalgs_len;
                check_curve = 1;
@@ -291,7 +291,7 @@ ssl_sigalg_select(SSL *s, EVP_PKEY *pkey)
         * RFC 5246 allows a TLS 1.2 client to send no sigalgs, in
         * which case the server must use the the default.
         */
-        if (TLS1_get_version(s) < TLS1_3_VERSION &&
+        if (S3I(s)->hs.negotiated_tls_version < TLS1_3_VERSION &&
            S3I(s)->hs.sigalgs == NULL) {
                switch (pkey->type) {
                case EVP_PKEY_RSA:
@@ -323,7 +323,7 @@ ssl_sigalg_select(SSL *s, EVP_PKEY *pkey)
                        continue;
                /* RSA cannot be used without PSS in TLSv1.3. */
-                if (TLS1_get_version(s) >= TLS1_3_VERSION &&
+                if (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION &&
                    sigalg->key_type == EVP_PKEY_RSA &&
                    (sigalg->flags & SIGALG_FLAG_RSA_PSS) == 0)
                        continue;

diff --git a/src/lib/libssl/ssl_sigalgs.c b/src/lib/libssl/ssl_sigalgs.c index 1b5aad72f7..68bb6a3889 100644 --- a/src/lib/libssl/ssl_sigalgs.c +++ b/src/lib/libssl/ssl_sigalgs.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_sigalgs.c,v 1.22 2020/10/11 01:13:04 guenther Exp $ */	1	/* $OpenBSD: ssl_sigalgs.c,v 1.23 2021/03/10 18:27:02 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org>	3	* Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org>
4	*	4	*
@@ -265,7 +265,7 @@ ssl_sigalg_select(SSL s, EVP_PKEY pkey)
265	int check_curve = 0;	265	int check_curve = 0;
266	CBS cbs;	266	CBS cbs;
267		267
268	if (TLS1_get_version(s) >= TLS1_3_VERSION) {	268	if (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION) {
269	tls_sigalgs = tls13_sigalgs;	269	tls_sigalgs = tls13_sigalgs;
270	tls_sigalgs_len = tls13_sigalgs_len;	270	tls_sigalgs_len = tls13_sigalgs_len;
271	check_curve = 1;	271	check_curve = 1;
@@ -291,7 +291,7 @@ ssl_sigalg_select(SSL s, EVP_PKEY pkey)
291	* RFC 5246 allows a TLS 1.2 client to send no sigalgs, in	291	* RFC 5246 allows a TLS 1.2 client to send no sigalgs, in
292	* which case the server must use the the default.	292	* which case the server must use the the default.
293	*/	293	*/
294	if (TLS1_get_version(s) < TLS1_3_VERSION &&	294	if (S3I(s)->hs.negotiated_tls_version < TLS1_3_VERSION &&
295	S3I(s)->hs.sigalgs == NULL) {	295	S3I(s)->hs.sigalgs == NULL) {
296	switch (pkey->type) {	296	switch (pkey->type) {
297	case EVP_PKEY_RSA:	297	case EVP_PKEY_RSA:
@@ -323,7 +323,7 @@ ssl_sigalg_select(SSL s, EVP_PKEY pkey)
323	continue;	323	continue;
324		324
325	/* RSA cannot be used without PSS in TLSv1.3. */	325	/* RSA cannot be used without PSS in TLSv1.3. */
326	if (TLS1_get_version(s) >= TLS1_3_VERSION &&	326	if (S3I(s)->hs.negotiated_tls_version >= TLS1_3_VERSION &&
327	sigalg->key_type == EVP_PKEY_RSA &&	327	sigalg->key_type == EVP_PKEY_RSA &&
328	(sigalg->flags & SIGALG_FLAG_RSA_PSS) == 0)	328	(sigalg->flags & SIGALG_FLAG_RSA_PSS) == 0)
329	continue;	329	continue;