diff options
-rw-r--r-- | src/network/ssl/qtlsbackend.cpp | 4 | ||||
-rw-r--r-- | src/plugins/tls/securetransport/qtls_st.cpp | 29 | ||||
-rw-r--r-- | src/plugins/tls/securetransport/qtlsbackend_st.cpp | 49 | ||||
-rw-r--r-- | tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp | 39 |
4 files changed, 121 insertions, 0 deletions
diff --git a/src/network/ssl/qtlsbackend.cpp b/src/network/ssl/qtlsbackend.cpp index 144bd620c9..b7d288dfa3 100644 --- a/src/network/ssl/qtlsbackend.cpp +++ b/src/network/ssl/qtlsbackend.cpp @@ -902,6 +902,10 @@ QSslCipher QTlsBackend::createCiphersuite(const QString &suiteName, QSsl::SslPro ciph.d->encryptionMethod = QLatin1String("AES(256)"); ciph.d->bits = 256; ciph.d->supportedBits = 256; + } else if (ciph.d->name.contains(QLatin1String("CHACHA20-"))) { + ciph.d->encryptionMethod = QLatin1String("CHACHA20"); + ciph.d->bits = 256; + ciph.d->supportedBits = 256; } else if (ciph.d->name.contains(QLatin1String("NULL-"))) { ciph.d->encryptionMethod = QLatin1String("NULL"); } else { diff --git a/src/plugins/tls/securetransport/qtls_st.cpp b/src/plugins/tls/securetransport/qtls_st.cpp index 8b391b9f31..02de40bc52 100644 --- a/src/plugins/tls/securetransport/qtls_st.cpp +++ b/src/plugins/tls/securetransport/qtls_st.cpp @@ -649,6 +649,35 @@ SSLCipherSuite TlsCryptographSecureTransport::SSLCipherSuite_from_QSslCipher(con return TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256; if (ciph.name() == QLatin1String("ECDHE-RSA-AES256-GCM-SHA384")) return TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384; + if (ciph.name() == QLatin1String("AES128-GCM-SHA256")) + return TLS_AES_128_GCM_SHA256; + if (ciph.name() == QLatin1String("AES256-GCM-SHA384")) + return TLS_AES_256_GCM_SHA384; + if (ciph.name() == QLatin1String("CHACHA20-POLY1305-SHA256")) + return TLS_CHACHA20_POLY1305_SHA256; + if (ciph.name() == QLatin1String("AES128-CCM-SHA256")) + return TLS_AES_128_CCM_SHA256; + if (ciph.name() == QLatin1String("AES128-CCM8-SHA256")) + return TLS_AES_128_CCM_8_SHA256; + if (ciph.name() == QLatin1String("ECDHE-ECDSA-AES128-GCM-SHA256")) + return TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256; + if (ciph.name() == QLatin1String("ECDHE-ECDSA-AES256-GCM-SHA384")) + return TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384; + if (ciph.name() == QLatin1String("ECDH-ECDSA-AES128-GCM-SHA256")) + return TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256; + if (ciph.name() == QLatin1String("ECDH-ECDSA-AES256-GCM-SHA384")) + return TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384; + if (ciph.name() == QLatin1String("ECDHE-RSA-AES128-GCM-SHA256")) + return TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256; + if (ciph.name() == QLatin1String("ECDH-RSA-AES128-GCM-SHA256")) + return TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256; + if (ciph.name() == QLatin1String("ECDH-RSA-AES256-GCM-SHA384")) + return TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384; + if (ciph.name() == QLatin1String("ECDHE-RSA-CHACHA20-POLY1305-SHA256")) + return TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256; + if (ciph.name() == QLatin1String("ECDHE-ECDSA-CHACHA20-POLY1305-SHA256")) + return TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256; + return 0; } diff --git a/src/plugins/tls/securetransport/qtlsbackend_st.cpp b/src/plugins/tls/securetransport/qtlsbackend_st.cpp index 5b60b69b4f..a0532b49df 100644 --- a/src/plugins/tls/securetransport/qtlsbackend_st.cpp +++ b/src/plugins/tls/securetransport/qtlsbackend_st.cpp @@ -204,6 +204,55 @@ QSslCipher QSslCipher_from_SSLCipherSuite(SSLCipherSuite cipher) name = QLatin1String("ECDHE-RSA-AES256-GCM-SHA384"); break; + // TLS 1.3 standard cipher suites for ChaCha20+Poly1305. + // Note: TLS 1.3 ciphersuites do not specify the key exchange + // algorithm -- they only specify the symmetric ciphers. + case TLS_AES_128_GCM_SHA256: + name = QLatin1String("AES128-GCM-SHA256"); + break; + case TLS_AES_256_GCM_SHA384: + name = QLatin1String("AES256-GCM-SHA384"); + break; + case TLS_CHACHA20_POLY1305_SHA256: + name = QLatin1String("CHACHA20-POLY1305-SHA256"); + break; + case TLS_AES_128_CCM_SHA256: + name = QLatin1String("AES128-CCM-SHA256"); + break; + case TLS_AES_128_CCM_8_SHA256: + name = QLatin1String("AES128-CCM8-SHA256"); + break; + // Addenda from rfc 5289 Elliptic Curve Cipher Suites with + // SHA-256/384 and AES Galois Counter Mode (GCM). + case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: + name = QLatin1String("ECDHE-ECDSA-AES128-GCM-SHA256"); + break; + case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: + name = QLatin1String("ECDHE-ECDSA-AES256-GCM-SHA384"); + break; + case TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256: + name = QLatin1String("ECDH-ECDSA-AES128-GCM-SHA256"); + break; + case TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384: + name = QLatin1String("ECDH-ECDSA-AES256-GCM-SHA384"); + break; + case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: + name = QLatin1String("ECDHE-RSA-AES128-GCM-SHA256"); + break; + case TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256: + name = QLatin1String("ECDH-RSA-AES128-GCM-SHA256"); + break; + case TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384: + name = QLatin1String("ECDH-RSA-AES256-GCM-SHA384"); + break; + // Addenda from rfc 7905 ChaCha20-Poly1305 Cipher Suites for + // Transport Layer Security (TLS). + case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: + name = QLatin1String("ECDHE-RSA-CHACHA20-POLY1305-SHA256"); + break; + case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: + name = QLatin1String("ECDHE-ECDSA-CHACHA20-POLY1305-SHA256"); + break; default: return {}; } diff --git a/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp b/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp index a03809fc09..a2541d5425 100644 --- a/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp +++ b/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp @@ -155,6 +155,9 @@ private slots: void sslErrors_data(); void sslErrors(); void ciphers(); +#if QT_CONFIG(securetransport) + void tls13Ciphers(); +#endif // QT_CONFIG(securetransport) void connectToHostEncrypted(); void connectToHostEncryptedWithVerificationPeerName(); void sessionCipher(); @@ -1063,6 +1066,42 @@ void tst_QSslSocket::ciphers() } } +#if QT_CONFIG(securetransport) +void tst_QSslSocket::tls13Ciphers() +{ + // SecureTransport introduced several new ciphers under + // "TLS 1.3 ciphersuites" section. Since Qt 6 we respect + // the ciphers from QSslConfiguration. In case of default + // configuration, these are the same we report and we + // were failing (for historical reasons) to report those + // TLS 1.3 suites when creating default QSslConfiguration. + // Check we now have them. + if (!isTestingSecureTransport) + QSKIP("The feature 'securetransport' was enabled, but active backend is not \"securetransport\""); + + QFETCH_GLOBAL(const bool, setProxy); + if (setProxy) + return; + + const auto suites = QSslConfiguration::defaultConfiguration().ciphers(); + QSslCipher ciph; + // Check the one of reported and previously missed: + for (const auto &suite : suites) { + if (suite.encryptionMethod() == QStringLiteral("CHACHA20")) { + // There are several ciphesuites using CHACHA20, the first one + // is sufficient for the purpose of this test: + ciph = suite; + break; + } + } + + QVERIFY(!ciph.isNull()); + QCOMPARE(ciph.encryptionMethod(), QStringLiteral("CHACHA20")); + QCOMPARE(ciph.supportedBits(), 256); + QCOMPARE(ciph.usedBits(), 256); +} +#endif // QT_CONFIG(securetransport) + void tst_QSslSocket::connectToHostEncrypted() { if (!QSslSocket::supportsSsl()) |