Support for DH and ECDH key exchange for QSslSocket servers

Despite supporting DH and ECDH key exchange as a client, Qt did not provide
any default parameters which prevented them being used as a server. A
future change should allow the user to control the parameters used, but
these defaults should be okay for most users.

[ChangeLog][Important Behavior Changes] Support for DH and ECDH key exchange
cipher suites when acting as an SSL server has been made possible. This
change means the you can now implement servers that offer forward-secrecy
using Qt.

Task-number: QTBUG-20666
Change-Id: I469163900e4313da9d2d0c3e1e5e47ef46320b17
Reviewed-by: Daniel Molkentin <daniel@molkentin.de>
Reviewed-by: Peter Hartmann <phartmann@blackberry.com>

1 files changed, 67 insertions, 0 deletions

diff --git a/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp b/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp
index ded3966992..baaf21e6bb 100644
--- a/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp
+++ b/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp
@@ -192,6 +192,8 @@ private slots:
     void resume();
     void qtbug18498_peek();
     void qtbug18498_peek2();
+    void dhServer();
+    void ecdhServer();
     void setEmptyDefaultConfiguration(); // this test should be last
 
     static void exitLoop()
@@ -1004,6 +1006,7 @@ public:
     QString m_keyFile;
     QString m_certFile;
     QString m_interFile;
+    QString ciphers;
 
 protected:
     void incomingConnection(qintptr socketDescriptor)
@@ -1037,6 +1040,10 @@ protected:
             socket->setLocalCertificateChain(localCert + interCert);
         }
 
+        if (!ciphers.isEmpty()) {
+            socket->setCiphers(ciphers);
+        }
+
         QVERIFY(socket->setSocketDescriptor(socketDescriptor, QAbstractSocket::ConnectedState));
         QVERIFY(!socket->peerAddress().isNull());
         QVERIFY(socket->peerPort() != 0);
@@ -2665,6 +2672,66 @@ void tst_QSslSocket::qtbug18498_peek2()
     QVERIFY(client->waitForDisconnected(5000));
 }
 
+void tst_QSslSocket::dhServer()
+{
+    if (!QSslSocket::supportsSsl()) {
+        qWarning("SSL not supported, skipping test");
+        return;
+    }
+
+    QFETCH_GLOBAL(bool, setProxy);
+    if (setProxy)
+        return;
+
+    SslServer server;
+    server.ciphers = QLatin1String("DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA");
+    QVERIFY(server.listen());
+
+    QEventLoop loop;
+    QTimer::singleShot(5000, &loop, SLOT(quit()));
+
+    QSslSocketPtr client(new QSslSocket);
+    socket = client.data();
+    connect(socket, SIGNAL(error(QAbstractSocket::SocketError)), &loop, SLOT(quit()));
+    connect(socket, SIGNAL(sslErrors(QList<QSslError>)), this, SLOT(ignoreErrorSlot()));
+    connect(socket, SIGNAL(encrypted()), &loop, SLOT(quit()));
+
+    client->connectToHostEncrypted(QHostAddress(QHostAddress::LocalHost).toString(), server.serverPort());
+
+    loop.exec();
+    QVERIFY(client->state() == QAbstractSocket::ConnectedState);
+}
+
+void tst_QSslSocket::ecdhServer()
+{
+    if (!QSslSocket::supportsSsl()) {
+        qWarning("SSL not supported, skipping test");
+        return;
+    }
+
+    QFETCH_GLOBAL(bool, setProxy);
+    if (setProxy)
+        return;
+
+    SslServer server;
+    server.ciphers = QLatin1String("ECDHE-RSA-AES128-SHA");
+    QVERIFY(server.listen());
+
+    QEventLoop loop;
+    QTimer::singleShot(5000, &loop, SLOT(quit()));
+
+    QSslSocketPtr client(new QSslSocket);
+    socket = client.data();
+    connect(socket, SIGNAL(error(QAbstractSocket::SocketError)), &loop, SLOT(quit()));
+    connect(socket, SIGNAL(sslErrors(QList<QSslError>)), this, SLOT(ignoreErrorSlot()));
+    connect(socket, SIGNAL(encrypted()), &loop, SLOT(quit()));
+
+    client->connectToHostEncrypted(QHostAddress(QHostAddress::LocalHost).toString(), server.serverPort());
+
+    loop.exec();
+    QVERIFY(client->state() == QAbstractSocket::ConnectedState);
+}
+
 void tst_QSslSocket::setEmptyDefaultConfiguration() // this test should be last, as it has some side effects
 {
     // used to produce a crash in QSslConfigurationPrivate::deepCopyDefaultConfiguration, QTBUG-13265