/**************************************************************************** ** ** Copyright (C) 2021 The Qt Company Ltd. ** Contact: https://www.qt.io/licensing/ ** ** This file is part of the QtNetwork module of the Qt Toolkit. ** ** $QT_BEGIN_LICENSE:LGPL$ ** Commercial License Usage ** Licensees holding valid commercial Qt licenses may use this file in ** accordance with the commercial license agreement provided with the ** Software or, alternatively, in accordance with the terms contained in ** a written agreement between you and The Qt Company. For licensing terms ** and conditions see https://www.qt.io/terms-conditions. For further ** information use the contact form at https://www.qt.io/contact-us. ** ** GNU Lesser General Public License Usage ** Alternatively, this file may be used under the terms of the GNU Lesser ** General Public License version 3 as published by the Free Software ** Foundation and appearing in the file LICENSE.LGPL3 included in the ** packaging of this file. Please review the following information to ** ensure the GNU Lesser General Public License version 3 requirements ** will be met: https://www.gnu.org/licenses/lgpl-3.0.html. ** ** GNU General Public License Usage ** Alternatively, this file may be used under the terms of the GNU ** General Public License version 2.0 or (at your option) the GNU General ** Public license version 3 or any later version approved by the KDE Free ** Qt Foundation. The licenses are as published by the Free Software ** Foundation and appearing in the file LICENSE.GPL2 and LICENSE.GPL3 ** included in the packaging of this file. Please review the following ** information to ensure the GNU General Public License requirements will ** be met: https://www.gnu.org/licenses/gpl-2.0.html and ** https://www.gnu.org/licenses/gpl-3.0.html. ** ** $QT_END_LICENSE$ ** ****************************************************************************/ #ifndef QTLSBACKEND_P_H #define QTLSBACKEND_P_H // // W A R N I N G // ------------- // // This file is not part of the Qt API. It exists purely as an // implementation detail. This header file may change from version to // version without notice, or even be removed. // // We mean it. // #include #include "qsslconfiguration.h" #include "qsslerror.h" #include "qssl_p.h" #if QT_CONFIG(dtls) #include "qdtls.h" #endif #include #include #include #include #include #include #include #include #include #include #include #include #include QT_BEGIN_NAMESPACE class QSslPreSharedKeyAuthenticator; class QSslSocketPrivate; class QHostAddress; class QSslContext; class QSslSocket; class QByteArray; class QSslCipher; class QUdpSocket; class QIODevice; class QSslError; class QSslKey; namespace QTlsPrivate { class Q_NETWORK_PRIVATE_EXPORT TlsKey { public: virtual ~TlsKey(); using KeyType = QSsl::KeyType; using KeyAlgorithm = QSsl::KeyAlgorithm; virtual void decodeDer(KeyType type, KeyAlgorithm algorithm, const QByteArray &der, const QByteArray &passPhrase, bool deepClear) = 0; virtual void decodePem(KeyType type, KeyAlgorithm algorithm, const QByteArray &pem, const QByteArray &passPhrase, bool deepClear) = 0; virtual QByteArray toPem(const QByteArray &passPhrase) const = 0; virtual QByteArray derFromPem(const QByteArray &pem, QMap *headers) const = 0; virtual QByteArray pemFromDer(const QByteArray &der, const QMap &headers) const = 0; virtual void fromHandle(Qt::HANDLE handle, KeyType type) = 0; virtual Qt::HANDLE handle() const = 0; virtual bool isNull() const = 0; virtual KeyType type() const = 0; virtual KeyAlgorithm algorithm() const = 0; virtual int length() const = 0; virtual void clear(bool deepClear) = 0; virtual bool isPkcs8() const = 0; virtual QByteArray decrypt(Cipher cipher, const QByteArray &data, const QByteArray &passPhrase, const QByteArray &iv) const = 0; virtual QByteArray encrypt(Cipher cipher, const QByteArray &data, const QByteArray &key, const QByteArray &iv) const = 0; QByteArray pemHeader() const; QByteArray pemFooter() const; }; class Q_NETWORK_PRIVATE_EXPORT X509Certificate { public: virtual ~X509Certificate(); virtual bool isEqual(const X509Certificate &other) const = 0; virtual bool isNull() const = 0; virtual bool isSelfSigned() const = 0; virtual QByteArray version() const = 0; virtual QByteArray serialNumber() const = 0; virtual QStringList issuerInfo(QSslCertificate::SubjectInfo subject) const = 0; virtual QStringList issuerInfo(const QByteArray &attribute) const = 0; virtual QStringList subjectInfo(QSslCertificate::SubjectInfo subject) const = 0; virtual QStringList subjectInfo(const QByteArray &attribute) const = 0; virtual QList subjectInfoAttributes() const = 0; virtual QList issuerInfoAttributes() const = 0; virtual QMultiMap subjectAlternativeNames() const = 0; virtual QDateTime effectiveDate() const = 0; virtual QDateTime expiryDate() const = 0; virtual TlsKey *publicKey() const; // Extensions. Plugins do not expose internal representation // and cannot rely on QSslCertificate's internals. Thus, // we provide this information 'in pieces': virtual qsizetype numberOfExtensions() const = 0; virtual QString oidForExtension(qsizetype i) const = 0; virtual QString nameForExtension(qsizetype i) const = 0; virtual QVariant valueForExtension(qsizetype i) const = 0; virtual bool isExtensionCritical(qsizetype i) const = 0; virtual bool isExtensionSupported(qsizetype i) const = 0; virtual QByteArray toPem() const = 0; virtual QByteArray toDer() const = 0; virtual QString toText() const = 0; virtual Qt::HANDLE handle() const = 0; virtual size_t hash(size_t seed) const noexcept = 0; }; // TLSTODO: consider making those into virtuals in QTlsBackend. After all, we ask the backend // to return those pointers if the functionality is supported, but it's a bit odd to have // this level of indirection. They are not parts of the classes above because ... // you'd then have to ask backend to create a certificate to ... call those // functions on a certificate. using X509ChainVerifyPtr = QList (*)(const QList &chain, const QString &hostName); using X509PemReaderPtr = QList (*)(const QByteArray &pem, int count); using X509DerReaderPtr = X509PemReaderPtr; using X509Pkcs12ReaderPtr = bool (*)(QIODevice *device, QSslKey *key, QSslCertificate *cert, QList *caCertificates, const QByteArray &passPhrase); #if QT_CONFIG(ssl) // TLS over TCP. Handshake, encryption/decryption. class Q_NETWORK_PRIVATE_EXPORT TlsCryptograph : public QObject { public: virtual ~TlsCryptograph(); virtual void init(QSslSocket *q, QSslSocketPrivate *d) = 0; virtual void checkSettingSslContext(std::shared_ptr tlsContext); virtual std::shared_ptr sslContext() const; virtual QList tlsErrors() const = 0; virtual void startClientEncryption() = 0; virtual void startServerEncryption() = 0; virtual void continueHandshake() = 0; virtual void enableHandshakeContinuation(); virtual void disconnectFromHost() = 0; virtual void disconnected() = 0; virtual void cancelCAFetch(); virtual QSslCipher sessionCipher() const = 0; virtual QSsl::SslProtocol sessionProtocol() const = 0; virtual void transmit() = 0; virtual bool hasUndecryptedData() const; virtual QList ocsps() const; static bool isMatchingHostname(const QSslCertificate &cert, const QString &peerName); void setErrorAndEmit(QSslSocketPrivate *d, QAbstractSocket::SocketError errorCode, const QString &errorDescription) const; }; #else class TlsCryptograph; #endif // QT_CONFIG(ssl) #if QT_CONFIG(dtls) class Q_NETWORK_PRIVATE_EXPORT DtlsBase { public: virtual ~DtlsBase(); virtual void setDtlsError(QDtlsError code, const QString &description) = 0; virtual QDtlsError error() const = 0; virtual QString errorString() const = 0; virtual void clearDtlsError() = 0; virtual void setConfiguration(const QSslConfiguration &configuration) = 0; virtual QSslConfiguration configuration() const = 0; using GenParams = QDtlsClientVerifier::GeneratorParameters; virtual bool setCookieGeneratorParameters(const GenParams ¶ms) = 0; virtual GenParams cookieGeneratorParameters() const = 0; }; // DTLS cookie: generation and verification. class Q_NETWORK_EXPORT DtlsCookieVerifier : virtual public DtlsBase { public: virtual bool verifyClient(QUdpSocket *socket, const QByteArray &dgram, const QHostAddress &address, quint16 port) = 0; virtual QByteArray verifiedHello() const = 0; }; // TLS over UDP. Handshake, encryption/decryption. class Q_NETWORK_PRIVATE_EXPORT DtlsCryptograph : virtual public DtlsBase { public: virtual QSslSocket::SslMode cryptographMode() const = 0; virtual void setPeer(const QHostAddress &addr, quint16 port, const QString &name) = 0; virtual QHostAddress peerAddress() const = 0; virtual quint16 peerPort() const = 0; virtual void setPeerVerificationName(const QString &name) = 0; virtual QString peerVerificationName() const = 0; virtual void setDtlsMtuHint(quint16 mtu) = 0; virtual quint16 dtlsMtuHint() const = 0; virtual QDtls::HandshakeState state() const = 0; virtual bool isConnectionEncrypted() const = 0; virtual bool startHandshake(QUdpSocket *socket, const QByteArray &dgram) = 0; virtual bool handleTimeout(QUdpSocket *socket) = 0; virtual bool continueHandshake(QUdpSocket *socket, const QByteArray &dgram) = 0; virtual bool resumeHandshake(QUdpSocket *socket) = 0; virtual void abortHandshake(QUdpSocket *socket) = 0; virtual void sendShutdownAlert(QUdpSocket *socket) = 0; virtual QList peerVerificationErrors() const = 0; virtual void ignoreVerificationErrors(const QList &errorsToIgnore) = 0; virtual QSslCipher dtlsSessionCipher() const = 0; virtual QSsl::SslProtocol dtlsSessionProtocol() const = 0; virtual qint64 writeDatagramEncrypted(QUdpSocket *socket, const QByteArray &dgram) = 0; virtual QByteArray decryptDatagram(QUdpSocket *socket, const QByteArray &dgram) = 0; }; #else class DtlsCookieVerifier; class DtlsCryptograph; #endif // QT_CONFIG(dtls) } // namespace QTlsPrivate // Factory, creating back-end specific implementations of // different entities QSslSocket is using. class Q_NETWORK_EXPORT QTlsBackend : public QObject { Q_OBJECT public: QTlsBackend(); ~QTlsBackend() override; virtual bool isValid() const; virtual long tlsLibraryVersionNumber() const; virtual QString tlsLibraryVersionString() const; virtual long tlsLibraryBuildVersionNumber() const; virtual QString tlsLibraryBuildVersionString() const; virtual void ensureInitialized() const; virtual QString backendName() const = 0; virtual QList supportedProtocols() const = 0; virtual QList supportedFeatures() const = 0; virtual QList implementedClasses() const = 0; // X509 and keys: virtual QTlsPrivate::TlsKey *createKey() const; virtual QTlsPrivate::X509Certificate *createCertificate() const; virtual QList systemCaCertificates() const; // TLS and DTLS: virtual QTlsPrivate::TlsCryptograph *createTlsCryptograph() const; virtual QTlsPrivate::DtlsCryptograph *createDtlsCryptograph(class QDtls *qObject, int mode) const; virtual QTlsPrivate::DtlsCookieVerifier *createDtlsCookieVerifier() const; // TLSTODO - get rid of these function pointers, make them virtuals in // the backend itself. X509 machinery: virtual QTlsPrivate::X509ChainVerifyPtr X509Verifier() const; virtual QTlsPrivate::X509PemReaderPtr X509PemReader() const; virtual QTlsPrivate::X509DerReaderPtr X509DerReader() const; virtual QTlsPrivate::X509Pkcs12ReaderPtr X509Pkcs12Reader() const; // Elliptic curves: virtual QList ellipticCurvesIds() const; virtual int curveIdFromShortName(const QString &name) const; virtual int curveIdFromLongName(const QString &name) const; virtual QString shortNameForId(int cid) const; virtual QString longNameForId(int cid) const; virtual bool isTlsNamedCurve(int cid) const; // Note: int and not QSslDiffieHellmanParameter::Error - because this class and // its enum are QT_CONFIG(ssl)-conditioned. But not QTlsBackend and // its virtual functions. DH decoding: virtual int dhParametersFromDer(const QByteArray &derData, QByteArray *data) const; virtual int dhParametersFromPem(const QByteArray &pemData, QByteArray *data) const; static QList availableBackendNames(); static QString defaultBackendName(); static QTlsBackend *findBackend(const QString &backendName); static QTlsBackend *activeOrAnyBackend(); static QList supportedProtocols(const QString &backendName); static QList supportedFeatures(const QString &backendName); static QList implementedClasses(const QString &backendName); // Built-in, this is what Qt provides out of the box (depending on OS): static constexpr const int nameIndexSchannel = 0; static constexpr const int nameIndexSecureTransport = 1; static constexpr const int nameIndexOpenSSL = 2; static constexpr const int nameIndexCertOnly = 3; static const QString builtinBackendNames[]; template static DynamicType *backend(const TLSObject &o) { return static_cast(o.d->backend.get()); } static void resetBackend(QSslKey &key, QTlsPrivate::TlsKey *keyBackend); static void setupClientPskAuth(QSslPreSharedKeyAuthenticator *auth, const char *hint, int hintLength, unsigned maxIdentityLen, unsigned maxPskLen); static void setupServerPskAuth(QSslPreSharedKeyAuthenticator *auth, const char *identity, const QByteArray &identityHint, unsigned maxPskLen); #if QT_CONFIG(ssl) static QSslCipher createCiphersuite(const QString &description, int bits, int supportedBits); static QSslCipher createCiphersuite(const QString &suiteName, QSsl::SslProtocol protocol, const QString &protocolString); static QSslCipher createCipher(const QString &name, QSsl::SslProtocol protocol, const QString &protocolString); // Those statics are implemented using QSslSocketPrivate (which is not exported, // unlike QTlsBackend). static QList defaultCiphers(); static QList defaultDtlsCiphers(); static void setDefaultCiphers(const QList &ciphers); static void setDefaultDtlsCiphers(const QList &ciphers); static void setDefaultSupportedCiphers(const QList &ciphers); static void resetDefaultEllipticCurves(); static void setDefaultCaCertificates(const QList &certs); // Many thanks to people who designed QSslConfiguration with hidden // data-members, that sneakily set by some 'friend' classes, having // some twisted logic. static bool rootLoadingOnDemandAllowed(const QSslConfiguration &configuration); static void storePeerCertificate(QSslConfiguration &configuration, const QSslCertificate &peerCert); static void storePeerCertificateChain(QSslConfiguration &configuration, const QList &peerCertificateChain); static void clearPeerCertificates(QSslConfiguration &configuration); // And those are even worse, this is where we don't have the original configuration, // and can have only a copy. So instead we go to d->privateConfiguration.someMember: static void clearPeerCertificates(QSslSocketPrivate *d); static void setPeerSessionShared(QSslSocketPrivate *d, bool shared); static void setSessionAsn1(QSslSocketPrivate *d, const QByteArray &asn1); static void setSessionLifetimeHint(QSslSocketPrivate *d, int hint); using AlpnNegotiationStatus = QSslConfiguration::NextProtocolNegotiationStatus; static void setAlpnStatus(QSslSocketPrivate *d, AlpnNegotiationStatus st); static void setNegotiatedProtocol(QSslSocketPrivate *d, const QByteArray &protocol); static void storePeerCertificate(QSslSocketPrivate *d, const QSslCertificate &peerCert); static void storePeerCertificateChain(QSslSocketPrivate *d, const QList &peerChain); static void addTustedRoot(QSslSocketPrivate *d, const QSslCertificate &rootCert);// TODO: "addTrusted..." // The next one - is a "very important" feature! Kidding ... static void setEphemeralKey(QSslSocketPrivate *d, const QSslKey &key); virtual void forceAutotestSecurityLevel(); #endif // QT_CONFIG(ssl) Q_DISABLE_COPY_MOVE(QTlsBackend) }; #define QTlsBackend_iid "org.qt-project.Qt.QTlsBackend" Q_DECLARE_INTERFACE(QTlsBackend, QTlsBackend_iid); QT_END_NAMESPACE #endif // QTLSBACKEND_P_H