4 files changed, 121 insertions, 0 deletions

diff --git a/src/network/ssl/qtlsbackend.cpp b/src/network/ssl/qtlsbackend.cpp
index 144bd620c9..b7d288dfa3 100644
--- a/src/network/ssl/qtlsbackend.cpp
+++ b/src/network/ssl/qtlsbackend.cpp
@@ -902,6 +902,10 @@ QSslCipher QTlsBackend::createCiphersuite(const QString &suiteName, QSsl::SslPro
             ciph.d->encryptionMethod = QLatin1String("AES(256)");
             ciph.d->bits = 256;
             ciph.d->supportedBits = 256;
+        } else if (ciph.d->name.contains(QLatin1String("CHACHA20-"))) {
+            ciph.d->encryptionMethod = QLatin1String("CHACHA20");
+            ciph.d->bits = 256;
+            ciph.d->supportedBits = 256;
         } else if (ciph.d->name.contains(QLatin1String("NULL-"))) {
             ciph.d->encryptionMethod = QLatin1String("NULL");
         } else {
diff --git a/src/plugins/tls/securetransport/qtls_st.cpp b/src/plugins/tls/securetransport/qtls_st.cpp
index 8b391b9f31..02de40bc52 100644
--- a/src/plugins/tls/securetransport/qtls_st.cpp
+++ b/src/plugins/tls/securetransport/qtls_st.cpp
@@ -649,6 +649,35 @@ SSLCipherSuite TlsCryptographSecureTransport::SSLCipherSuite_from_QSslCipher(con
         return TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256;
     if (ciph.name() == QLatin1String("ECDHE-RSA-AES256-GCM-SHA384"))
         return TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384;
+    if (ciph.name() == QLatin1String("AES128-GCM-SHA256"))
+        return TLS_AES_128_GCM_SHA256;
+    if (ciph.name() == QLatin1String("AES256-GCM-SHA384"))
+        return TLS_AES_256_GCM_SHA384;
+    if (ciph.name() == QLatin1String("CHACHA20-POLY1305-SHA256"))
+        return TLS_CHACHA20_POLY1305_SHA256;
+    if (ciph.name() == QLatin1String("AES128-CCM-SHA256"))
+        return TLS_AES_128_CCM_SHA256;
+    if (ciph.name() == QLatin1String("AES128-CCM8-SHA256"))
+        return TLS_AES_128_CCM_8_SHA256;
+    if (ciph.name() == QLatin1String("ECDHE-ECDSA-AES128-GCM-SHA256"))
+        return TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256;
+    if (ciph.name() == QLatin1String("ECDHE-ECDSA-AES256-GCM-SHA384"))
+        return TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384;
+    if (ciph.name() == QLatin1String("ECDH-ECDSA-AES128-GCM-SHA256"))
+        return TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256;
+    if (ciph.name() == QLatin1String("ECDH-ECDSA-AES256-GCM-SHA384"))
+        return TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384;
+    if (ciph.name() == QLatin1String("ECDHE-RSA-AES128-GCM-SHA256"))
+        return TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256;
+    if (ciph.name() == QLatin1String("ECDH-RSA-AES128-GCM-SHA256"))
+        return TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256;
+    if (ciph.name() == QLatin1String("ECDH-RSA-AES256-GCM-SHA384"))
+        return TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384;
+    if (ciph.name() == QLatin1String("ECDHE-RSA-CHACHA20-POLY1305-SHA256"))
+        return TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256;
+    if (ciph.name() == QLatin1String("ECDHE-ECDSA-CHACHA20-POLY1305-SHA256"))
+        return TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256;
+
     return 0;
 }
 
diff --git a/src/plugins/tls/securetransport/qtlsbackend_st.cpp b/src/plugins/tls/securetransport/qtlsbackend_st.cpp
index 5b60b69b4f..a0532b49df 100644
--- a/src/plugins/tls/securetransport/qtlsbackend_st.cpp
+++ b/src/plugins/tls/securetransport/qtlsbackend_st.cpp
@@ -204,6 +204,55 @@ QSslCipher QSslCipher_from_SSLCipherSuite(SSLCipherSuite cipher)
         name = QLatin1String("ECDHE-RSA-AES256-GCM-SHA384");
         break;
 
+    // TLS 1.3 standard cipher suites for ChaCha20+Poly1305.
+    // Note: TLS 1.3 ciphersuites do not specify the key exchange
+    // algorithm -- they only specify the symmetric ciphers.
+    case TLS_AES_128_GCM_SHA256:
+        name = QLatin1String("AES128-GCM-SHA256");
+        break;
+    case TLS_AES_256_GCM_SHA384:
+        name = QLatin1String("AES256-GCM-SHA384");
+        break;
+    case TLS_CHACHA20_POLY1305_SHA256:
+        name = QLatin1String("CHACHA20-POLY1305-SHA256");
+        break;
+    case TLS_AES_128_CCM_SHA256:
+        name = QLatin1String("AES128-CCM-SHA256");
+        break;
+    case TLS_AES_128_CCM_8_SHA256:
+        name = QLatin1String("AES128-CCM8-SHA256");
+        break;
+    // Addenda from rfc 5289  Elliptic Curve Cipher Suites with
+    // SHA-256/384 and AES Galois Counter Mode (GCM).
+    case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
+        name = QLatin1String("ECDHE-ECDSA-AES128-GCM-SHA256");
+        break;
+    case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:
+        name = QLatin1String("ECDHE-ECDSA-AES256-GCM-SHA384");
+        break;
+    case TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256:
+        name = QLatin1String("ECDH-ECDSA-AES128-GCM-SHA256");
+        break;
+    case TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384:
+        name = QLatin1String("ECDH-ECDSA-AES256-GCM-SHA384");
+        break;
+    case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
+        name = QLatin1String("ECDHE-RSA-AES128-GCM-SHA256");
+        break;
+    case TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256:
+        name = QLatin1String("ECDH-RSA-AES128-GCM-SHA256");
+        break;
+    case TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384:
+        name = QLatin1String("ECDH-RSA-AES256-GCM-SHA384");
+        break;
+    // Addenda from rfc 7905  ChaCha20-Poly1305 Cipher Suites for
+    // Transport Layer Security (TLS).
+    case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:
+        name = QLatin1String("ECDHE-RSA-CHACHA20-POLY1305-SHA256");
+        break;
+    case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256:
+        name = QLatin1String("ECDHE-ECDSA-CHACHA20-POLY1305-SHA256");
+        break;
     default:
         return {};
     }
diff --git a/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp b/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp
index a03809fc09..a2541d5425 100644
--- a/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp
+++ b/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp
@@ -155,6 +155,9 @@ private slots:
     void sslErrors_data();
     void sslErrors();
     void ciphers();
+#if QT_CONFIG(securetransport)
+    void tls13Ciphers();
+#endif // QT_CONFIG(securetransport)
     void connectToHostEncrypted();
     void connectToHostEncryptedWithVerificationPeerName();
     void sessionCipher();
@@ -1063,6 +1066,42 @@ void tst_QSslSocket::ciphers()
     }
 }
 
+#if QT_CONFIG(securetransport)
+void tst_QSslSocket::tls13Ciphers()
+{
+    // SecureTransport introduced several new ciphers under
+    // "TLS 1.3 ciphersuites" section. Since Qt 6 we respect
+    // the ciphers from QSslConfiguration. In case of default
+    // configuration, these are the same we report and we
+    // were failing (for historical reasons) to report those
+    // TLS 1.3 suites when creating default QSslConfiguration.
+    // Check we now have them.
+    if (!isTestingSecureTransport)
+        QSKIP("The feature 'securetransport' was enabled, but active backend is not \"securetransport\"");
+
+    QFETCH_GLOBAL(const bool, setProxy);
+    if (setProxy)
+        return;
+
+    const auto suites = QSslConfiguration::defaultConfiguration().ciphers();
+    QSslCipher ciph;
+    // Check the one of reported and previously missed:
+    for (const auto &suite : suites) {
+        if (suite.encryptionMethod() == QStringLiteral("CHACHA20")) {
+            // There are several ciphesuites using CHACHA20, the first one
+            // is sufficient for the purpose of this test:
+            ciph = suite;
+            break;
+        }
+    }
+
+    QVERIFY(!ciph.isNull());
+    QCOMPARE(ciph.encryptionMethod(), QStringLiteral("CHACHA20"));
+    QCOMPARE(ciph.supportedBits(), 256);
+    QCOMPARE(ciph.usedBits(), 256);
+}
+#endif // QT_CONFIG(securetransport)
+
 void tst_QSslSocket::connectToHostEncrypted()
 {
     if (!QSslSocket::supportsSsl())