From 1ea2fe5b8d082d193b7f6ecfa5d5d9a9700afe11 Mon Sep 17 00:00:00 2001
From: sledgehammer999 <hammered999@gmail.com>
Date: Wed, 1 Feb 2023 02:23:12 +0200
Subject: [PATCH] Blacklist bad ciphers for TLS in the server

Prevents the ROBOT attack.
Closes #18483
---
 src/base/http/server.cpp | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/src/base/http/server.cpp b/src/base/http/server.cpp
index f53e437d78d..d2b6ebf715a 100644
--- a/src/base/http/server.cpp
+++ b/src/base/http/server.cpp
@@ -56,10 +56,33 @@ namespace
     QList<QSslCipher> safeCipherList()
     {
         const QStringList badCiphers {u"idea"_qs, u"rc4"_qs};
+        // Contains Ciphersuites that use RSA for the Key Exchange but they don't mention it in their name
+        const QStringList badRSAShorthandSuites {
+            u"AES256-GCM-SHA384"_qs, u"AES128-GCM-SHA256"_qs, u"AES256-SHA256"_qs,
+            u"AES128-SHA256"_qs, u"AES256-SHA"_qs, u"AES128-SHA"_qs};
+        // Contains Ciphersuites that use AES CBC mode but they don't mention it in their name
+        const QStringList badAESShorthandSuites {
+            u"ECDHE-ECDSA-AES256-SHA384"_qs, u"ECDHE-RSA-AES256-SHA384"_qs, u"DHE-RSA-AES256-SHA256"_qs,
+            u"ECDHE-ECDSA-AES128-SHA256"_qs, u"ECDHE-RSA-AES128-SHA256"_qs, u"DHE-RSA-AES128-SHA256"_qs,
+            u"ECDHE-ECDSA-AES256-SHA"_qs, u"ECDHE-RSA-AES256-SHA"_qs, u"DHE-RSA-AES256-SHA"_qs,
+            u"ECDHE-ECDSA-AES128-SHA"_qs, u"ECDHE-RSA-AES128-SHA"_qs, u"DHE-RSA-AES128-SHA"_qs};
         const QList<QSslCipher> allCiphers {QSslConfiguration::supportedCiphers()};
         QList<QSslCipher> safeCiphers;
-        std::copy_if(allCiphers.cbegin(), allCiphers.cend(), std::back_inserter(safeCiphers), [&badCiphers](const QSslCipher &cipher)
+        std::copy_if(allCiphers.cbegin(), allCiphers.cend(), std::back_inserter(safeCiphers),
+                     [&badCiphers, &badRSAShorthandSuites, &badAESShorthandSuites](const QSslCipher &cipher)
         {
+            const QString name = cipher.name();
+            if (name.contains(u"-cbc-"_qs, Qt::CaseInsensitive) // AES CBC mode is considered vulnerable to BEAST attack
+                || name.startsWith(u"adh-"_qs, Qt::CaseInsensitive) // Key Exchange: Diffie-Hellman, doesn't support Perfect Forward Secrecy
+                || name.startsWith(u"aecdh-"_qs, Qt::CaseInsensitive) // Key Exchange: Elliptic Curve Diffie-Hellman, doesn't support Perfect Forward Secrecy
+                || name.startsWith(u"psk-"_qs, Qt::CaseInsensitive) // Key Exchange: Pre-Shared Key, doesn't support Perfect Forward Secrecy
+                || name.startsWith(u"rsa-"_qs, Qt::CaseInsensitive) // Key Exchange: Rivest Shamir Adleman (RSA), doesn't support Perfect Forward Secrecy
+                || badRSAShorthandSuites.contains(name, Qt::CaseInsensitive)
+                || badAESShorthandSuites.contains(name, Qt::CaseInsensitive))
+            {
+                return false;
+            }
+
             return std::none_of(badCiphers.cbegin(), badCiphers.cend(), [&cipher](const QString &badCipher)
             {
                 return cipher.name().contains(badCipher, Qt::CaseInsensitive);