diff options
author | Timur Pocheptsov <timur.pocheptsov@qt.io> | 2021-12-23 14:17:13 +0100 |
---|---|---|
committer | Timur Pocheptsov <timur.pocheptsov@qt.io> | 2022-01-12 22:27:21 +0100 |
commit | c30af31f990aef5ff5ea0e6eb2c6ba9681f9c7ba (patch) | |
tree | dd0cf4861e5d4751711d40a807cc1b82df482fa0 /src/plugins/tls/securetransport | |
parent | eabb3fd2f03f81f738a6128b7b09d92f0731522c (diff) |
QSslSocket (SecureTransport) add TLS 1.3 ciphersuites
At some point we decided to support a custom set of ciphersuites specified
by QSslConfiguration (which if you ask me was never a good idea). The law
of unforseen consequiences bit us again: since we now give a set of ciphesuites
to QSslConfiguration and set ciphesuites from the configuration a socket has,
we are limited by the ciphersuites we know about at the moment of 'coding'.
Meaning if an SDK was updated and CipherSuite.h later adds more ciphersuites,
we miss them and 'don't support them', while we ... actually do.
This patch tries to add some more ciphersuites introduced in TLS 1.3 (interesting,
SecureTransport does not support TLS 1.3, but TLS 1.3 suites can be used in TLS
1.2 session).
Pick-to: 6.2 6.3 5.15
Task-number: QTBUG-99368
Change-Id: I439b63845c4893e5621cffaf3bcaf62e2b643c74
Reviewed-by: MÃ¥rten Nordheim <marten.nordheim@qt.io>
Diffstat (limited to 'src/plugins/tls/securetransport')
-rw-r--r-- | src/plugins/tls/securetransport/qtls_st.cpp | 29 | ||||
-rw-r--r-- | src/plugins/tls/securetransport/qtlsbackend_st.cpp | 49 |
2 files changed, 78 insertions, 0 deletions
diff --git a/src/plugins/tls/securetransport/qtls_st.cpp b/src/plugins/tls/securetransport/qtls_st.cpp index 8b391b9f31..02de40bc52 100644 --- a/src/plugins/tls/securetransport/qtls_st.cpp +++ b/src/plugins/tls/securetransport/qtls_st.cpp @@ -649,6 +649,35 @@ SSLCipherSuite TlsCryptographSecureTransport::SSLCipherSuite_from_QSslCipher(con return TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256; if (ciph.name() == QLatin1String("ECDHE-RSA-AES256-GCM-SHA384")) return TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384; + if (ciph.name() == QLatin1String("AES128-GCM-SHA256")) + return TLS_AES_128_GCM_SHA256; + if (ciph.name() == QLatin1String("AES256-GCM-SHA384")) + return TLS_AES_256_GCM_SHA384; + if (ciph.name() == QLatin1String("CHACHA20-POLY1305-SHA256")) + return TLS_CHACHA20_POLY1305_SHA256; + if (ciph.name() == QLatin1String("AES128-CCM-SHA256")) + return TLS_AES_128_CCM_SHA256; + if (ciph.name() == QLatin1String("AES128-CCM8-SHA256")) + return TLS_AES_128_CCM_8_SHA256; + if (ciph.name() == QLatin1String("ECDHE-ECDSA-AES128-GCM-SHA256")) + return TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256; + if (ciph.name() == QLatin1String("ECDHE-ECDSA-AES256-GCM-SHA384")) + return TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384; + if (ciph.name() == QLatin1String("ECDH-ECDSA-AES128-GCM-SHA256")) + return TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256; + if (ciph.name() == QLatin1String("ECDH-ECDSA-AES256-GCM-SHA384")) + return TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384; + if (ciph.name() == QLatin1String("ECDHE-RSA-AES128-GCM-SHA256")) + return TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256; + if (ciph.name() == QLatin1String("ECDH-RSA-AES128-GCM-SHA256")) + return TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256; + if (ciph.name() == QLatin1String("ECDH-RSA-AES256-GCM-SHA384")) + return TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384; + if (ciph.name() == QLatin1String("ECDHE-RSA-CHACHA20-POLY1305-SHA256")) + return TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256; + if (ciph.name() == QLatin1String("ECDHE-ECDSA-CHACHA20-POLY1305-SHA256")) + return TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256; + return 0; } diff --git a/src/plugins/tls/securetransport/qtlsbackend_st.cpp b/src/plugins/tls/securetransport/qtlsbackend_st.cpp index 5b60b69b4f..a0532b49df 100644 --- a/src/plugins/tls/securetransport/qtlsbackend_st.cpp +++ b/src/plugins/tls/securetransport/qtlsbackend_st.cpp @@ -204,6 +204,55 @@ QSslCipher QSslCipher_from_SSLCipherSuite(SSLCipherSuite cipher) name = QLatin1String("ECDHE-RSA-AES256-GCM-SHA384"); break; + // TLS 1.3 standard cipher suites for ChaCha20+Poly1305. + // Note: TLS 1.3 ciphersuites do not specify the key exchange + // algorithm -- they only specify the symmetric ciphers. + case TLS_AES_128_GCM_SHA256: + name = QLatin1String("AES128-GCM-SHA256"); + break; + case TLS_AES_256_GCM_SHA384: + name = QLatin1String("AES256-GCM-SHA384"); + break; + case TLS_CHACHA20_POLY1305_SHA256: + name = QLatin1String("CHACHA20-POLY1305-SHA256"); + break; + case TLS_AES_128_CCM_SHA256: + name = QLatin1String("AES128-CCM-SHA256"); + break; + case TLS_AES_128_CCM_8_SHA256: + name = QLatin1String("AES128-CCM8-SHA256"); + break; + // Addenda from rfc 5289 Elliptic Curve Cipher Suites with + // SHA-256/384 and AES Galois Counter Mode (GCM). + case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: + name = QLatin1String("ECDHE-ECDSA-AES128-GCM-SHA256"); + break; + case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: + name = QLatin1String("ECDHE-ECDSA-AES256-GCM-SHA384"); + break; + case TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256: + name = QLatin1String("ECDH-ECDSA-AES128-GCM-SHA256"); + break; + case TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384: + name = QLatin1String("ECDH-ECDSA-AES256-GCM-SHA384"); + break; + case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: + name = QLatin1String("ECDHE-RSA-AES128-GCM-SHA256"); + break; + case TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256: + name = QLatin1String("ECDH-RSA-AES128-GCM-SHA256"); + break; + case TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384: + name = QLatin1String("ECDH-RSA-AES256-GCM-SHA384"); + break; + // Addenda from rfc 7905 ChaCha20-Poly1305 Cipher Suites for + // Transport Layer Security (TLS). + case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: + name = QLatin1String("ECDHE-RSA-CHACHA20-POLY1305-SHA256"); + break; + case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: + name = QLatin1String("ECDHE-ECDSA-CHACHA20-POLY1305-SHA256"); + break; default: return {}; } |