Use SSL_CTX_set_dh_auto if DHparam is empty

[ChangeLog][QtNetwork][QSslDiffieHellmanParameters] An empty Diffie-Hellmann parameter enables auto selection of openssl backend. Fixes: QTBUG-117666 Change-Id: Ic2e0529d48542752ca801bcb4d609988e5ddff25 Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
author: André Klitzing <aklitzing@gmail.com> 2023-09-29 08:21:21 +0200
committer: André Klitzing <aklitzing@gmail.com> 2023-10-25 17:23:13 +0200
commit: fd9c567156830a21da3cd9e127a998ae90a8e564 (patch)
tree: 7ab3094e0a717fd0cfc254812f24d9325f3281de
parent: 5628600a07295db6ed6683e97fafb0c45ddea505 (diff)
4 files changed, 17 insertions, 7 deletions
diff --git a/src/network/ssl/qsslconfiguration.cpp b/src/network/ssl/qsslconfiguration.cpp
index 5acadebc13..bc7f1fb3f4 100644
--- a/src/network/ssl/qsslconfiguration.cpp
+++ b/src/network/ssl/qsslconfiguration.cpp
@@ -939,6 +939,9 @@ QSslDiffieHellmanParameters QSslConfiguration::diffieHellmanParameters() const
     If no Diffie-Hellman parameters have been set, the QSslConfiguration object
     defaults to using the 2048-bit MODP group from RFC 3526.
 
+    Since 6.7 you can provide an empty Diffie-Hellman parameter to use auto selection
+    (see SSL_CTX_set_dh_auto of openssl) if the tls backend supports it.
+
     \note The default parameters may change in future Qt versions.
     Please check the documentation of the \e{exact Qt version} that you
     are using in order to know what defaults that version uses.
diff --git a/src/plugins/tls/openssl/qsslcontext_openssl.cpp b/src/plugins/tls/openssl/qsslcontext_openssl.cpp
index ef0e63911a..75c192bd01 100644
--- a/src/plugins/tls/openssl/qsslcontext_openssl.cpp
+++ b/src/plugins/tls/openssl/qsslcontext_openssl.cpp
@@ -697,7 +697,9 @@ QT_WARNING_POP
         return;
     }
 
-    if (!dhparams.isEmpty()) {
+    if (dhparams.isEmpty()) {
+        q_SSL_CTX_set_dh_auto(sslContext->ctx, 1);
+    } else {
 #ifndef OPENSSL_NO_DEPRECATED_3_0
         const QByteArray &params = dhparams.d->derData;
         const char *ptr = params.constData();
diff --git a/src/plugins/tls/openssl/qsslsocket_openssl_symbols_p.h b/src/plugins/tls/openssl/qsslsocket_openssl_symbols_p.h
index c954d17774..a93c110b3f 100644
--- a/src/plugins/tls/openssl/qsslsocket_openssl_symbols_p.h
+++ b/src/plugins/tls/openssl/qsslsocket_openssl_symbols_p.h
@@ -516,6 +516,7 @@ DH *q_PEM_read_bio_DHparams(BIO *a, DH **b, pem_password_cb *c, void *d);
 
 BIGNUM *q_BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret);
 #define q_SSL_CTX_set_tmp_dh(ctx, dh) q_SSL_CTX_ctrl((ctx), SSL_CTRL_SET_TMP_DH, 0, (char *)dh)
+#define q_SSL_CTX_set_dh_auto(ctx, onoff) q_SSL_CTX_ctrl(ctx,SSL_CTRL_SET_DH_AUTO,onoff,NULL)
 
 #ifndef OPENSSL_NO_EC
 // EC Diffie-Hellman support
diff --git a/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp b/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp
index 66711cce45..c7cfaebd62 100644
--- a/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp
+++ b/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp
@@ -3510,9 +3510,10 @@ void tst_QSslSocket::dhServerCustomParamsNull()
     if (setProxy)
         return;
 
+    const QSslCipher cipherWithDH("DHE-RSA-AES256-SHA256");
     SslServer server;
-    server.ciphers = {QSslCipher("DHE-RSA-AES256-SHA"), QSslCipher("DHE-DSS-AES256-SHA")};
-    server.protocol = Test::TlsV1_0;
+    server.ciphers = {cipherWithDH};
+    server.protocol = QSsl::TlsV1_2;
 
     QSslConfiguration cfg = server.config;
     cfg.setDiffieHellmanParameters(QSslDiffieHellmanParameters());
@@ -3525,7 +3526,6 @@ void tst_QSslSocket::dhServerCustomParamsNull()
 
     QSslSocket client;
     QSslConfiguration config = client.sslConfiguration();
-    config.setProtocol(Test::TlsV1_0);
     client.setSslConfiguration(config);
     socket = &client;
     connect(socket, SIGNAL(errorOccurred(QAbstractSocket::SocketError)), &loop, SLOT(quit()));
@@ -3536,7 +3536,8 @@ void tst_QSslSocket::dhServerCustomParamsNull()
 
     loop.exec();
 
-    QVERIFY(client.state() != QAbstractSocket::ConnectedState);
+    QCOMPARE(client.state(), QAbstractSocket::ConnectedState);
+    QCOMPARE(client.sessionCipher(), cipherWithDH);
 }
 
 void tst_QSslSocket::dhServerCustomParams()
@@ -3551,7 +3552,9 @@ void tst_QSslSocket::dhServerCustomParams()
         return;
 
     SslServer server;
-    server.ciphers = {QSslCipher("DHE-RSA-AES256-SHA"), QSslCipher("DHE-DSS-AES256-SHA")};
+    const QSslCipher cipherWithDH("DHE-RSA-AES256-SHA256");
+    server.ciphers = {cipherWithDH};
+    server.protocol = QSsl::TlsV1_2;
 
     QSslConfiguration cfg = server.config;
 
@@ -3581,7 +3584,8 @@ void tst_QSslSocket::dhServerCustomParams()
 
     loop.exec();
 
-    QVERIFY(client.state() == QAbstractSocket::ConnectedState);
+    QCOMPARE(client.state(), QAbstractSocket::ConnectedState);
+    QCOMPARE(client.sessionCipher(), cipherWithDH);
 }
 #endif // QT_CONFIG(openssl)
author	André Klitzing <aklitzing@gmail.com>	2023-09-29 08:21:21 +0200
committer	André Klitzing <aklitzing@gmail.com>	2023-10-25 17:23:13 +0200
commit	fd9c567156830a21da3cd9e127a998ae90a8e564 (patch)
tree	7ab3094e0a717fd0cfc254812f24d9325f3281de
parent	5628600a07295db6ed6683e97fafb0c45ddea505 (diff)