use TLS1_get_version macro to check version so TLS v1.2 changes don't interfere with DTLS
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 0633c09..9e52ed4 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -928,7 +928,7 @@
/* Don't digest cached records if TLS v1.2: we may need them for
* client authentication.
*/
- if (s->version < TLS1_2_VERSION && !ssl3_digest_cached_records(s))
+ if (TLS1_get_version(s) < TLS1_2_VERSION && !ssl3_digest_cached_records(s))
goto f_err;
/* lets get the compression algorithm */
/* COMPRESSION */
@@ -1659,7 +1659,7 @@
/* if it was signed, check the signature */
if (pkey != NULL)
{
- if (s->version >= TLS1_2_VERSION)
+ if (TLS1_get_version(s) >= TLS1_2_VERSION)
{
int sigalg = tls12_get_sigid(pkey);
/* Should never happen */
@@ -1704,7 +1704,7 @@
}
#ifndef OPENSSL_NO_RSA
- if (pkey->type == EVP_PKEY_RSA && s->version < TLS1_2_VERSION)
+ if (pkey->type == EVP_PKEY_RSA && TLS1_get_version(s) < TLS1_2_VERSION)
{
int num;
@@ -1864,8 +1864,7 @@
for (i=0; i<ctype_num; i++)
s->s3->tmp.ctype[i]= p[i];
p+=ctype_num;
- /* HACK! For now just skip over signatature algorithms */
- if (s->version >= TLS1_2_VERSION)
+ if (TLS1_get_version(s) >= TLS1_2_VERSION)
{
n2s(p, llen);
/* Check we have enough room for signature algorithms and
@@ -2886,7 +2885,7 @@
EVP_PKEY_sign_init(pctx);
if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1())>0)
{
- if (s->version < TLS1_2_VERSION)
+ if (TLS1_get_version(s) < TLS1_2_VERSION)
s->method->ssl3_enc->cert_verify_mac(s,
NID_sha1,
&(data[MD5_DIGEST_LENGTH]));
@@ -2898,7 +2897,7 @@
/* For TLS v1.2 send signature algorithm and signature
* using agreed digest and cached handshake records.
*/
- if (s->version >= TLS1_2_VERSION)
+ if (TLS1_get_version(s) >= TLS1_2_VERSION)
{
long hdatalen = 0;
void *hdata;
