diff options
author | Andy Shaw <andy.shaw@qt.io> | 2020-04-17 10:32:56 +0200 |
---|---|---|
committer | Andy Shaw <andy.shaw@qt.io> | 2020-07-24 00:36:47 +0200 |
commit | c70d693378b8110c09fdd18d7a4a22e8bd1b98d9 (patch) | |
tree | 839cad5a03074c110722ec36fd0a2d427ee8c302 | |
parent | b9cd399dc99487371a17dbdfc434b62dc8508c3f (diff) |
SecureTransport: Set requested ciphers specified in the configuration
Fixes: QTBUG-83491
Change-Id: I783a355be5405d4c44e703874bdf2e14afe629e1
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
-rw-r--r-- | src/network/ssl/qsslsocket_mac.cpp | 94 | ||||
-rw-r--r-- | src/network/ssl/qsslsocket_mac_p.h | 1 |
2 files changed, 95 insertions, 0 deletions
diff --git a/src/network/ssl/qsslsocket_mac.cpp b/src/network/ssl/qsslsocket_mac.cpp index d7c3a82db9..4096fb68c6 100644 --- a/src/network/ssl/qsslsocket_mac.cpp +++ b/src/network/ssl/qsslsocket_mac.cpp @@ -854,6 +854,84 @@ QSslCipher QSslSocketBackendPrivate::QSslCipher_from_SSLCipherSuite(SSLCipherSui } return ciph; } +SSLCipherSuite QSslSocketBackendPrivate::SSLCipherSuite_from_QSslCipher(const QSslCipher &ciph) +{ + if (ciph.d->name == QLatin1String("AES128-SHA")) + return TLS_RSA_WITH_AES_128_CBC_SHA; + if (ciph.d->name == QLatin1String("DHE-RSA-AES128-SHA")) + return TLS_DHE_RSA_WITH_AES_128_CBC_SHA; + if (ciph.d->name == QLatin1String("AES256-SHA")) + return TLS_RSA_WITH_AES_256_CBC_SHA; + if (ciph.d->name == QLatin1String("DHE-RSA-AES256-SHA")) + return TLS_DHE_RSA_WITH_AES_256_CBC_SHA; + if (ciph.d->name == QLatin1String("ECDH-ECDSA-NULL-SHA")) + return TLS_ECDH_ECDSA_WITH_NULL_SHA; + if (ciph.d->name == QLatin1String("ECDH-ECDSA-RC4-SHA")) + return TLS_ECDH_ECDSA_WITH_RC4_128_SHA; + if (ciph.d->name == QLatin1String("ECDH-ECDSA-DES-CBC3-SHA")) + return TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA; + if (ciph.d->name == QLatin1String("ECDH-ECDSA-AES128-SHA")) + return TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA; + if (ciph.d->name == QLatin1String("ECDH-ECDSA-AES256-SHA")) + return TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA; + if (ciph.d->name == QLatin1String("ECDH-ECDSA-RC4-SHA")) + return TLS_ECDHE_ECDSA_WITH_RC4_128_SHA; + if (ciph.d->name == QLatin1String("ECDH-ECDSA-DES-CBC3-SHA")) + return TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA; + if (ciph.d->name == QLatin1String("ECDH-ECDSA-AES128-SHA")) + return TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA; + if (ciph.d->name == QLatin1String("ECDH-ECDSA-AES256-SHA")) + return TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA; + if (ciph.d->name == QLatin1String("ECDH-RSA-NULL-SHA")) + return TLS_ECDH_RSA_WITH_NULL_SHA; + if (ciph.d->name == QLatin1String("ECDH-RSA-RC4-SHA")) + return TLS_ECDH_RSA_WITH_RC4_128_SHA; + if (ciph.d->name == QLatin1String("ECDH-RSA-DES-CBC3-SHA")) + return TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA; + if (ciph.d->name == QLatin1String("ECDH-RSA-AES128-SHA")) + return TLS_ECDH_RSA_WITH_AES_128_CBC_SHA; + if (ciph.d->name == QLatin1String("ECDH-RSA-AES256-SHA")) + return TLS_ECDH_RSA_WITH_AES_256_CBC_SHA; + if (ciph.d->name == QLatin1String("ECDH-RSA-RC4-SHA")) + return TLS_ECDHE_RSA_WITH_RC4_128_SHA; + if (ciph.d->name == QLatin1String("ECDH-RSA-DES-CBC3-SHA")) + return TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA; + if (ciph.d->name == QLatin1String("ECDH-RSA-AES128-SHA")) + return TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA; + if (ciph.d->name == QLatin1String("ECDH-RSA-AES256-SHA")) + return TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA; + if (ciph.d->name == QLatin1String("DES-CBC3-SHA")) + return TLS_RSA_WITH_3DES_EDE_CBC_SHA; + if (ciph.d->name == QLatin1String("AES128-SHA256")) + return TLS_RSA_WITH_AES_128_CBC_SHA256; + if (ciph.d->name == QLatin1String("AES256-SHA256")) + return TLS_RSA_WITH_AES_256_CBC_SHA256; + if (ciph.d->name == QLatin1String("DHE-RSA-DES-CBC3-SHA")) + return TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA; + if (ciph.d->name == QLatin1String("DHE-RSA-AES128-SHA256")) + return TLS_DHE_RSA_WITH_AES_128_CBC_SHA256; + if (ciph.d->name == QLatin1String("DHE-RSA-AES256-SHA256")) + return TLS_DHE_RSA_WITH_AES_256_CBC_SHA256; + if (ciph.d->name == QLatin1String("AES256-GCM-SHA384")) + return TLS_RSA_WITH_AES_256_GCM_SHA384; + if (ciph.d->name == QLatin1String("ECDHE-ECDSA-AES128-SHA256")) + return TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256; + if (ciph.d->name == QLatin1String("ECDHE-ECDSA-AES256-SHA384")) + return TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384; + if (ciph.d->name == QLatin1String("ECDH-ECDSA-AES128-SHA256")) + return TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256; + if (ciph.d->name == QLatin1String("ECDH-ECDSA-AES256-SHA384")) + return TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384; + if (ciph.d->name == QLatin1String("ECDHE-RSA-AES128-SHA256")) + return TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256; + if (ciph.d->name == QLatin1String("ECDHE-RSA-AES256-SHA384")) + return TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384; + if (ciph.d->name == QLatin1String("ECDHE-RSA-AES256-SHA384")) + return TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256; + if (ciph.d->name == QLatin1String("ECDHE-RSA-AES256-GCM-SHA384")) + return TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384; + return 0; +} bool QSslSocketBackendPrivate::initSslContext() { @@ -969,6 +1047,22 @@ bool QSslSocketBackendPrivate::initSslContext() SSLSetDiffieHellmanParams(context, dhparam, sizeof(dhparam)); #endif } + if (configuration.ciphers.size() > 0) { + QVector<SSLCipherSuite> cfCiphers; + for (const QSslCipher &cipher : configuration.ciphers) { + if (auto sslCipher = QSslSocketBackendPrivate::SSLCipherSuite_from_QSslCipher(cipher)) + cfCiphers << sslCipher; + } + if (cfCiphers.size() == 0) { + qCWarning(lcSsl) << "failed to add any of the requested ciphers from the configuration"; + return false; + } + OSStatus err = SSLSetEnabledCiphers(context, cfCiphers.data(), cfCiphers.size()); + if (err != errSecSuccess) { + qCWarning(lcSsl) << "failed to set the ciphers from the configuration"; + return false; + } + } return true; } diff --git a/src/network/ssl/qsslsocket_mac_p.h b/src/network/ssl/qsslsocket_mac_p.h index 48aca964a1..dcd4f4de72 100644 --- a/src/network/ssl/qsslsocket_mac_p.h +++ b/src/network/ssl/qsslsocket_mac_p.h @@ -104,6 +104,7 @@ public: const QByteArray &passPhrase); static QSslCipher QSslCipher_from_SSLCipherSuite(SSLCipherSuite cipher); + static SSLCipherSuite SSLCipherSuite_from_QSslCipher(const QSslCipher &cipher); private: // SSL context management/properties: |