Merge pull request #1542 from nghttp2/nghttpx-check-sigalg

nghttpx: Choose ECDSA cert if compatible signature algorithm available

Merge pull request #1542 from nghttp2/nghttpx-check-sigalg
nghttpx: Choose ECDSA cert if compatible signature algorithm available
8b8ba6b0 · Tatsuhiro Tsujikawa · GitHub · fb5b5aef · 81fb0153 · 8b8ba6b0
Unverified Commit 8b8ba6b0 authored Dec 14, 2020 by Tatsuhiro Tsujikawa Committed by GitHub Dec 14, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 25 additions and 0 deletions

src/shrpx_tls.cc src/shrpx_tls.cc +25 -0

No files found.
--- a/src/shrpx_tls.cc
+++ b/src/shrpx_tls.cc
@@ -196,6 +196,31 @@ int servername_callback(SSL *ssl, int *al, void *arg) {
 #if !defined(OPENSSL_IS_BORINGSSL) && !LIBRESSL_IN_USE &&                      \
    OPENSSL_VERSION_NUMBER >= 0x10002000L
+  auto num_sigalgs =
+      SSL_get_sigalgs(ssl, 0, nullptr, nullptr, nullptr, nullptr, nullptr);
+  for (idx = 0; idx < num_sigalgs; ++idx) {
+    int signhash;
+    SSL_get_sigalgs(ssl, idx, nullptr, nullptr, &signhash, nullptr, nullptr);
+    switch (signhash) {
+    case NID_ecdsa_with_SHA256:
+    case NID_ecdsa_with_SHA384:
+    case NID_ecdsa_with_SHA512:
+      break;
+    default:
+      continue;
+    }
+    break;
+  }
+  if (idx == num_sigalgs) {
+    SSL_set_SSL_CTX(ssl, ssl_ctx_list[0]);
+    return SSL_TLSEXT_ERR_OK;
+  }
  auto num_shared_curves = SSL_get_shared_curve(ssl, -1);
  for (auto i = 0; i < num_shared_curves; ++i) {