summaryrefslogtreecommitdiffstats
path: root/src/network/ssl/qtlsbackend_p.h
diff options
context:
space:
mode:
Diffstat (limited to 'src/network/ssl/qtlsbackend_p.h')
-rw-r--r--src/network/ssl/qtlsbackend_p.h232
1 files changed, 141 insertions, 91 deletions
diff --git a/src/network/ssl/qtlsbackend_p.h b/src/network/ssl/qtlsbackend_p.h
index 5928dee2c7..090531014b 100644
--- a/src/network/ssl/qtlsbackend_p.h
+++ b/src/network/ssl/qtlsbackend_p.h
@@ -1,41 +1,5 @@
-/****************************************************************************
-**
-** Copyright (C) 2021 The Qt Company Ltd.
-** Contact: https://www.qt.io/licensing/
-**
-** This file is part of the QtNetwork module of the Qt Toolkit.
-**
-** $QT_BEGIN_LICENSE:LGPL$
-** Commercial License Usage
-** Licensees holding valid commercial Qt licenses may use this file in
-** accordance with the commercial license agreement provided with the
-** Software or, alternatively, in accordance with the terms contained in
-** a written agreement between you and The Qt Company. For licensing terms
-** and conditions see https://www.qt.io/terms-conditions. For further
-** information use the contact form at https://www.qt.io/contact-us.
-**
-** GNU Lesser General Public License Usage
-** Alternatively, this file may be used under the terms of the GNU Lesser
-** General Public License version 3 as published by the Free Software
-** Foundation and appearing in the file LICENSE.LGPL3 included in the
-** packaging of this file. Please review the following information to
-** ensure the GNU Lesser General Public License version 3 requirements
-** will be met: https://www.gnu.org/licenses/lgpl-3.0.html.
-**
-** GNU General Public License Usage
-** Alternatively, this file may be used under the terms of the GNU
-** General Public License version 2.0 or (at your option) the GNU General
-** Public license version 3 or any later version approved by the KDE Free
-** Qt Foundation. The licenses are as published by the Free Software
-** Foundation and appearing in the file LICENSE.GPL2 and LICENSE.GPL3
-** included in the packaging of this file. Please review the following
-** information to ensure the GNU General Public License requirements will
-** be met: https://www.gnu.org/licenses/gpl-2.0.html and
-** https://www.gnu.org/licenses/gpl-3.0.html.
-**
-** $QT_END_LICENSE$
-**
-****************************************************************************/
+// Copyright (C) 2021 The Qt Company Ltd.
+// SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
#ifndef QTLSBACKEND_P_H
#define QTLSBACKEND_P_H
@@ -62,7 +26,7 @@
#endif
#include <QtNetwork/qsslcertificate.h>
-#include <QtNetwork/qsslerror.h>
+#include <QtNetwork/qsslcipher.h>
#include <QtNetwork/qsslkey.h>
#include <QtNetwork/qssl.h>
@@ -78,27 +42,28 @@
QT_BEGIN_NAMESPACE
+class QSslPreSharedKeyAuthenticator;
+class QSslSocketPrivate;
class QHostAddress;
+class QSslContext;
+
+class QSslSocket;
class QByteArray;
class QSslCipher;
class QUdpSocket;
class QIODevice;
+class QSslError;
class QSslKey;
-namespace QSsl {
-
-// The class TlsKey encapsulates key's data (DER) or backend-specific
-// data-structure, like RSA/DSA/DH structs in OpenSSL.
-// TLSTODO: Interface is mostly what QSslKeyPrivate is now. Names,
-// however strange they are, for now preserved to ease the transition
-// (this may change in future - for example, 'decodeDer' is not just
-// decoding DER, it's initializing a key from DER. Note, QSslKey requires
-// a real TLS library because private keys tend to be encrypted. This
-// base class does not need a working TLS library.
-class TlsKey {
+namespace QTlsPrivate {
+
+class Q_NETWORK_EXPORT TlsKey {
public:
virtual ~TlsKey();
+ using KeyType = QSsl::KeyType;
+ using KeyAlgorithm = QSsl::KeyAlgorithm;
+
virtual void decodeDer(KeyType type, KeyAlgorithm algorithm, const QByteArray &der,
const QByteArray &passPhrase, bool deepClear) = 0;
virtual void decodePem(KeyType type, KeyAlgorithm algorithm, const QByteArray &pem,
@@ -108,7 +73,7 @@ public:
virtual QByteArray derFromPem(const QByteArray &pem, QMap<QByteArray, QByteArray> *headers) const = 0;
virtual QByteArray pemFromDer(const QByteArray &der, const QMap<QByteArray, QByteArray> &headers) const = 0;
- virtual void fromHandle(Qt::HANDLE opaque, KeyType type) = 0;
+ virtual void fromHandle(Qt::HANDLE handle, KeyType type) = 0;
virtual Qt::HANDLE handle() const = 0;
virtual bool isNull() const = 0;
@@ -118,36 +83,30 @@ public:
virtual void clear(bool deepClear) = 0;
- // Needed by QSslKeyPrivate::pemFromDer() for non-OpenSSL backends.
virtual bool isPkcs8() const = 0;
- using Cipher = QSsl::Cipher;
virtual QByteArray decrypt(Cipher cipher, const QByteArray &data,
- const QByteArray &key, const QByteArray &iv) const = 0;
+ const QByteArray &passPhrase, const QByteArray &iv) const = 0;
virtual QByteArray encrypt(Cipher cipher, const QByteArray &data,
const QByteArray &key, const QByteArray &iv) const = 0;
- // Those two are non-virtual, always the same and only depend on the key type
- // and algorithm:
QByteArray pemHeader() const;
QByteArray pemFooter() const;
};
-// An abstraction hiding OpenSSL's X509 or our generic
-// 'derData'-based code.
-class X509Certificate
+class Q_NETWORK_EXPORT X509Certificate
{
public:
virtual ~X509Certificate();
- virtual bool isEqual(const X509Certificate &rhs) const = 0;
+ virtual bool isEqual(const X509Certificate &other) const = 0;
virtual bool isNull() const = 0;
virtual bool isSelfSigned() const = 0;
virtual QByteArray version() const = 0;
virtual QByteArray serialNumber() const = 0;
- virtual QStringList issuerInfo(QSslCertificate::SubjectInfo info) const = 0;
+ virtual QStringList issuerInfo(QSslCertificate::SubjectInfo subject) const = 0;
virtual QStringList issuerInfo(const QByteArray &attribute) const = 0;
- virtual QStringList subjectInfo(QSslCertificate::SubjectInfo info) const = 0;
+ virtual QStringList subjectInfo(QSslCertificate::SubjectInfo subject) const = 0;
virtual QStringList subjectInfo(const QByteArray &attribute) const = 0;
virtual QList<QByteArray> subjectInfoAttributes() const = 0;
@@ -159,13 +118,14 @@ public:
virtual TlsKey *publicKey() const;
// Extensions. Plugins do not expose internal representation
- // and cannot rely on QSslCertificate's internals.
+ // and cannot rely on QSslCertificate's internals. Thus,
+ // we provide this information 'in pieces':
virtual qsizetype numberOfExtensions() const = 0;
- virtual QString oidForExtension(qsizetype index) const = 0;
- virtual QString nameForExtension(qsizetype index) const = 0;
- virtual QVariant valueForExtension(qsizetype index) const = 0;
- virtual bool isExtensionCritical(qsizetype index) const = 0;
- virtual bool isExtensionSupported(qsizetype index) const = 0;
+ virtual QString oidForExtension(qsizetype i) const = 0;
+ virtual QString nameForExtension(qsizetype i) const = 0;
+ virtual QVariant valueForExtension(qsizetype i) const = 0;
+ virtual bool isExtensionCritical(qsizetype i) const = 0;
+ virtual bool isExtensionSupported(qsizetype i) const = 0;
virtual QByteArray toPem() const = 0;
virtual QByteArray toDer() const = 0;
@@ -189,12 +149,45 @@ using X509Pkcs12ReaderPtr = bool (*)(QIODevice *device, QSslKey *key, QSslCertif
QList<QSslCertificate> *caCertificates,
const QByteArray &passPhrase);
+#if QT_CONFIG(ssl)
// TLS over TCP. Handshake, encryption/decryption.
+class Q_NETWORK_EXPORT TlsCryptograph : public QObject
+{
+public:
+ virtual ~TlsCryptograph();
+
+ virtual void init(QSslSocket *q, QSslSocketPrivate *d) = 0;
+ virtual void checkSettingSslContext(std::shared_ptr<QSslContext> tlsContext);
+ virtual std::shared_ptr<QSslContext> sslContext() const;
+
+ virtual QList<QSslError> tlsErrors() const = 0;
+
+ virtual void startClientEncryption() = 0;
+ virtual void startServerEncryption() = 0;
+ virtual void continueHandshake() = 0;
+ virtual void enableHandshakeContinuation();
+ virtual void disconnectFromHost() = 0;
+ virtual void disconnected() = 0;
+ virtual void cancelCAFetch();
+ virtual QSslCipher sessionCipher() const = 0;
+ virtual QSsl::SslProtocol sessionProtocol() const = 0;
+
+ virtual void transmit() = 0;
+ virtual bool hasUndecryptedData() const;
+ virtual QList<QOcspResponse> ocsps() const;
+
+ static bool isMatchingHostname(const QSslCertificate &cert, const QString &peerName);
+
+ void setErrorAndEmit(QSslSocketPrivate *d, QAbstractSocket::SocketError errorCode,
+ const QString &errorDescription) const;
+};
+#else
class TlsCryptograph;
+#endif // QT_CONFIG(ssl)
#if QT_CONFIG(dtls)
-class DtlsBase
+class Q_NETWORK_EXPORT DtlsBase
{
public:
virtual ~DtlsBase();
@@ -215,7 +208,7 @@ public:
};
// DTLS cookie: generation and verification.
-class DtlsCookieVerifier : virtual public DtlsBase
+class Q_NETWORK_EXPORT DtlsCookieVerifier : virtual public DtlsBase
{
public:
virtual bool verifyClient(QUdpSocket *socket, const QByteArray &dgram,
@@ -224,7 +217,7 @@ public:
};
// TLS over UDP. Handshake, encryption/decryption.
-class DtlsCryptograph : virtual public DtlsBase
+class Q_NETWORK_EXPORT DtlsCryptograph : virtual public DtlsBase
{
public:
@@ -265,10 +258,7 @@ class DtlsCryptograph;
#endif // QT_CONFIG(dtls)
-
-
-
-} // namespace QSsl
+} // namespace QTlsPrivate
// Factory, creating back-end specific implementations of
// different entities QSslSocket is using.
@@ -280,6 +270,11 @@ public:
~QTlsBackend() override;
virtual bool isValid() const;
+ virtual long tlsLibraryVersionNumber() const;
+ virtual QString tlsLibraryVersionString() const;
+ virtual long tlsLibraryBuildVersionNumber() const;
+ virtual QString tlsLibraryBuildVersionString() const;
+ virtual void ensureInitialized() const;
virtual QString backendName() const = 0;
virtual QList<QSsl::SslProtocol> supportedProtocols() const = 0;
@@ -287,20 +282,22 @@ public:
virtual QList<QSsl::ImplementedClass> implementedClasses() const = 0;
// X509 and keys:
- virtual QSsl::TlsKey *createKey() const;
- virtual QSsl::X509Certificate *createCertificate() const;
+ virtual QTlsPrivate::TlsKey *createKey() const;
+ virtual QTlsPrivate::X509Certificate *createCertificate() const;
+
+ virtual QList<QSslCertificate> systemCaCertificates() const;
// TLS and DTLS:
- virtual QSsl::TlsCryptograph *createTlsCryptograph() const;
- virtual QSsl::DtlsCryptograph *createDtlsCryptograph(class QDtls *qObject, int mode) const;
- virtual QSsl::DtlsCookieVerifier *createDtlsCookieVerifier() const;
+ virtual QTlsPrivate::TlsCryptograph *createTlsCryptograph() const;
+ virtual QTlsPrivate::DtlsCryptograph *createDtlsCryptograph(class QDtls *qObject, int mode) const;
+ virtual QTlsPrivate::DtlsCookieVerifier *createDtlsCookieVerifier() const;
// TLSTODO - get rid of these function pointers, make them virtuals in
// the backend itself. X509 machinery:
- virtual QSsl::X509ChainVerifyPtr X509Verifier() const;
- virtual QSsl::X509PemReaderPtr X509PemReader() const;
- virtual QSsl::X509DerReaderPtr X509DerReader() const;
- virtual QSsl::X509Pkcs12ReaderPtr X509Pkcs12Reader() const;
+ virtual QTlsPrivate::X509ChainVerifyPtr X509Verifier() const;
+ virtual QTlsPrivate::X509PemReaderPtr X509PemReader() const;
+ virtual QTlsPrivate::X509DerReaderPtr X509DerReader() const;
+ virtual QTlsPrivate::X509Pkcs12ReaderPtr X509Pkcs12Reader() const;
// Elliptic curves:
virtual QList<int> ellipticCurvesIds() const;
@@ -310,8 +307,9 @@ public:
virtual QString longNameForId(int cid) const;
virtual bool isTlsNamedCurve(int cid) const;
- // TLSTODO: int->enum ugliness in error reporting.
- // DH decoding:
+ // Note: int and not QSslDiffieHellmanParameter::Error - because this class and
+ // its enum are QT_CONFIG(ssl)-conditioned. But not QTlsBackend and
+ // its virtual functions. DH decoding:
virtual int dhParametersFromDer(const QByteArray &derData, QByteArray *data) const;
virtual int dhParametersFromPem(const QByteArray &pemData, QByteArray *data) const;
@@ -328,22 +326,74 @@ public:
static constexpr const int nameIndexSchannel = 0;
static constexpr const int nameIndexSecureTransport = 1;
static constexpr const int nameIndexOpenSSL = 2;
+ static constexpr const int nameIndexCertOnly = 3;
static const QString builtinBackendNames[];
- template<class DynamicType, class TLSObject>
+ template<class DynamicType, class TLSObject>
static DynamicType *backend(const TLSObject &o)
{
- return static_cast<DynamicType *>(o.backendImplementation());
+ return static_cast<DynamicType *>(o.d->backend.get());
}
- static void resetBackend(QSslKey &key, QSsl::TlsKey *keyBackend);
+ static void resetBackend(QSslKey &key, QTlsPrivate::TlsKey *keyBackend);
+
+ static void setupClientPskAuth(QSslPreSharedKeyAuthenticator *auth, const char *hint,
+ int hintLength, unsigned maxIdentityLen, unsigned maxPskLen);
+ static void setupServerPskAuth(QSslPreSharedKeyAuthenticator *auth, const char *identity,
+ const QByteArray &identityHint, unsigned maxPskLen);
+#if QT_CONFIG(ssl)
+ static QSslCipher createCiphersuite(const QString &description, int bits, int supportedBits);
+ static QSslCipher createCiphersuite(const QString &suiteName, QSsl::SslProtocol protocol,
+ const QString &protocolString);
+ static QSslCipher createCiphersuite(const QString &name, const QString &keyExchangeMethod,
+ const QString &encryptionMethod,
+ const QString &authenticationMethod,
+ int bits, QSsl::SslProtocol protocol,
+ const QString &protocolString);
+
+ // Those statics are implemented using QSslSocketPrivate (which is not exported,
+ // unlike QTlsBackend).
+ static QList<QSslCipher> defaultCiphers();
+ static QList<QSslCipher> defaultDtlsCiphers();
+
+ static void setDefaultCiphers(const QList<QSslCipher> &ciphers);
+ static void setDefaultDtlsCiphers(const QList<QSslCipher> &ciphers);
+ static void setDefaultSupportedCiphers(const QList<QSslCipher> &ciphers);
+
+ static void resetDefaultEllipticCurves();
+
+ static void setDefaultCaCertificates(const QList<QSslCertificate> &certs);
+
+ // Many thanks to people who designed QSslConfiguration with hidden
+ // data-members, that sneakily set by some 'friend' classes, having
+ // some twisted logic.
+ static bool rootLoadingOnDemandAllowed(const QSslConfiguration &configuration);
+ static void storePeerCertificate(QSslConfiguration &configuration, const QSslCertificate &peerCert);
+ static void storePeerCertificateChain(QSslConfiguration &configuration,
+ const QList<QSslCertificate> &peerCertificateChain);
+ static void clearPeerCertificates(QSslConfiguration &configuration);
+ // And those are even worse, this is where we don't have the original configuration,
+ // and can have only a copy. So instead we go to d->privateConfiguration.someMember:
+ static void clearPeerCertificates(QSslSocketPrivate *d);
+ static void setPeerSessionShared(QSslSocketPrivate *d, bool shared);
+ static void setSessionAsn1(QSslSocketPrivate *d, const QByteArray &asn1);
+ static void setSessionLifetimeHint(QSslSocketPrivate *d, int hint);
+ using AlpnNegotiationStatus = QSslConfiguration::NextProtocolNegotiationStatus;
+ static void setAlpnStatus(QSslSocketPrivate *d, AlpnNegotiationStatus st);
+ static void setNegotiatedProtocol(QSslSocketPrivate *d, const QByteArray &protocol);
+ static void storePeerCertificate(QSslSocketPrivate *d, const QSslCertificate &peerCert);
+ static void storePeerCertificateChain(QSslSocketPrivate *d, const QList<QSslCertificate> &peerChain);
+ static void addTustedRoot(QSslSocketPrivate *d, const QSslCertificate &rootCert);// TODO: "addTrusted..."
+ // The next one - is a "very important" feature! Kidding ...
+ static void setEphemeralKey(QSslSocketPrivate *d, const QSslKey &key);
+
+ virtual void forceAutotestSecurityLevel();
+#endif // QT_CONFIG(ssl)
Q_DISABLE_COPY_MOVE(QTlsBackend)
};
-Q_DECLARE_LOGGING_CATEGORY(lcTlsBackend)
-
#define QTlsBackend_iid "org.qt-project.Qt.QTlsBackend"
Q_DECLARE_INTERFACE(QTlsBackend, QTlsBackend_iid);
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-06 18:27:40 +0000