From 4fde56091c5bf48eb3057b8aa48a9958aaf84eb1 Mon Sep 17 00:00:00 2001
From: tb <tb@openbsd.org>
Date: Wed, 29 Jun 2022 07:55:59 +0000
Subject: [PATCH] Check sigalg security level when selecting them.

ok beck jsing
---
 lib/libssl/ssl_sigalgs.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/lib/libssl/ssl_sigalgs.c b/lib/libssl/ssl_sigalgs.c
index f969e4f5515..9c38a076ac8 100644
--- a/lib/libssl/ssl_sigalgs.c
+++ b/lib/libssl/ssl_sigalgs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sigalgs.c,v 1.44 2022/06/29 07:54:54 tb Exp $ */
+/* $OpenBSD: ssl_sigalgs.c,v 1.45 2022/06/29 07:55:59 tb Exp $ */
 /*
  * Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org>
  * Copyright (c) 2021 Joel Sing <jsing@openbsd.org>
@@ -272,6 +272,9 @@ ssl_sigalgs_build(uint16_t tls_version, CBB *cbb, int security_level)
 static const struct ssl_sigalg *
 ssl_sigalg_for_legacy(SSL *s, EVP_PKEY *pkey)
 {
+	if (SSL_get_security_level(s) > 1)
+		return NULL;
+
 	/* Default signature algorithms used for TLSv1.2 and earlier. */
 	switch (EVP_PKEY_id(pkey)) {
 	case EVP_PKEY_RSA:
-- 
2.20.1