1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
|
/****************************************************************************
**
** Copyright (C) 2021 The Qt Company Ltd.
** Contact: https://www.qt.io/licensing/
**
** This file is part of the QtNetwork module of the Qt Toolkit.
**
** $QT_BEGIN_LICENSE:LGPL$
** Commercial License Usage
** Licensees holding valid commercial Qt licenses may use this file in
** accordance with the commercial license agreement provided with the
** Software or, alternatively, in accordance with the terms contained in
** a written agreement between you and The Qt Company. For licensing terms
** and conditions see https://www.qt.io/terms-conditions. For further
** information use the contact form at https://www.qt.io/contact-us.
**
** GNU Lesser General Public License Usage
** Alternatively, this file may be used under the terms of the GNU Lesser
** General Public License version 3 as published by the Free Software
** Foundation and appearing in the file LICENSE.LGPL3 included in the
** packaging of this file. Please review the following information to
** ensure the GNU Lesser General Public License version 3 requirements
** will be met: https://www.gnu.org/licenses/lgpl-3.0.html.
**
** GNU General Public License Usage
** Alternatively, this file may be used under the terms of the GNU
** General Public License version 2.0 or (at your option) the GNU General
** Public license version 3 or any later version approved by the KDE Free
** Qt Foundation. The licenses are as published by the Free Software
** Foundation and appearing in the file LICENSE.GPL2 and LICENSE.GPL3
** included in the packaging of this file. Please review the following
** information to ensure the GNU General Public License requirements will
** be met: https://www.gnu.org/licenses/gpl-2.0.html and
** https://www.gnu.org/licenses/gpl-3.0.html.
**
** $QT_END_LICENSE$
**
****************************************************************************/
#ifndef QTLSBACKEND_P_H
#define QTLSBACKEND_P_H
//
// W A R N I N G
// -------------
//
// This file is not part of the Qt API. It exists purely as an
// implementation detail. This header file may change from version to
// version without notice, or even be removed.
//
// We mean it.
//
#include <QtNetwork/private/qtnetworkglobal_p.h>
#include "qsslconfiguration.h"
#include "qsslerror.h"
#include "qssl_p.h"
#if QT_CONFIG(dtls)
#include "qdtls.h"
#endif
#include <QtNetwork/qsslcertificate.h>
#include <QtNetwork/qsslerror.h>
#include <QtNetwork/qsslkey.h>
#include <QtNetwork/qssl.h>
#include <QtCore/qloggingcategory.h>
#include <QtCore/qnamespace.h>
#include <QtCore/qobject.h>
#include <QtCore/qglobal.h>
#include <QtCore/qstring.h>
#include <QtCore/qlist.h>
#include <QtCore/qmap.h>
#include <memory>
QT_BEGIN_NAMESPACE
class QHostAddress;
class QByteArray;
class QSslCipher;
class QUdpSocket;
class QIODevice;
class QSslKey;
namespace QSsl {
// The class TlsKey encapsulates key's data (DER) or backend-specific
// data-structure, like RSA/DSA/DH structs in OpenSSL.
// TLSTODO: Interface is mostly what QSslKeyPrivate is now. Names,
// however strange they are, for now preserved to ease the transition
// (this may change in future - for example, 'decodeDer' is not just
// decoding DER, it's initializing a key from DER. Note, QSslKey requires
// a real TLS library because private keys tend to be encrypted. This
// base class does not need a working TLS library.
class TlsKey {
public:
virtual ~TlsKey();
virtual void decodeDer(KeyType type, KeyAlgorithm algorithm, const QByteArray &der,
const QByteArray &passPhrase, bool deepClear) = 0;
virtual void decodePem(KeyType type, KeyAlgorithm algorithm, const QByteArray &pem,
const QByteArray &passPhrase, bool deepClear) = 0;
virtual QByteArray toPem(const QByteArray &passPhrase) const = 0;
virtual QByteArray derFromPem(const QByteArray &pem, QMap<QByteArray, QByteArray> *headers) const = 0;
virtual QByteArray pemFromDer(const QByteArray &der, const QMap<QByteArray, QByteArray> &headers) const = 0;
virtual void fromHandle(Qt::HANDLE opaque, KeyType type) = 0;
virtual Qt::HANDLE handle() const = 0;
virtual bool isNull() const = 0;
virtual KeyType type() const = 0;
virtual KeyAlgorithm algorithm() const = 0;
virtual int length() const = 0;
virtual void clear(bool deepClear) = 0;
// Needed by QSslKeyPrivate::pemFromDer() for non-OpenSSL backends.
virtual bool isPkcs8() const = 0;
using Cipher = QSsl::Cipher;
virtual QByteArray decrypt(Cipher cipher, const QByteArray &data,
const QByteArray &key, const QByteArray &iv) const = 0;
virtual QByteArray encrypt(Cipher cipher, const QByteArray &data,
const QByteArray &key, const QByteArray &iv) const = 0;
// Those two are non-virtual, always the same and only depend on the key type
// and algorithm:
QByteArray pemHeader() const;
QByteArray pemFooter() const;
};
// An abstraction hiding OpenSSL's X509 or our generic
// 'derData'-based code.
class X509Certificate
{
public:
virtual ~X509Certificate();
virtual bool isEqual(const X509Certificate &rhs) const = 0;
virtual bool isNull() const = 0;
virtual bool isSelfSigned() const = 0;
virtual QByteArray version() const = 0;
virtual QByteArray serialNumber() const = 0;
virtual QStringList issuerInfo(QSslCertificate::SubjectInfo info) const = 0;
virtual QStringList issuerInfo(const QByteArray &attribute) const = 0;
virtual QStringList subjectInfo(QSslCertificate::SubjectInfo info) const = 0;
virtual QStringList subjectInfo(const QByteArray &attribute) const = 0;
virtual QList<QByteArray> subjectInfoAttributes() const = 0;
virtual QList<QByteArray> issuerInfoAttributes() const = 0;
virtual QMultiMap<QSsl::AlternativeNameEntryType, QString> subjectAlternativeNames() const = 0;
virtual QDateTime effectiveDate() const = 0;
virtual QDateTime expiryDate() const = 0;
virtual TlsKey *publicKey() const;
// Extensions. Plugins do not expose internal representation
// and cannot rely on QSslCertificate's internals.
virtual qsizetype numberOfExtensions() const = 0;
virtual QString oidForExtension(qsizetype index) const = 0;
virtual QString nameForExtension(qsizetype index) const = 0;
virtual QVariant valueForExtension(qsizetype index) const = 0;
virtual bool isExtensionCritical(qsizetype index) const = 0;
virtual bool isExtensionSupported(qsizetype index) const = 0;
virtual QByteArray toPem() const = 0;
virtual QByteArray toDer() const = 0;
virtual QString toText() const = 0;
virtual Qt::HANDLE handle() const = 0;
virtual size_t hash(size_t seed) const noexcept = 0;
};
// TLSTODO: consider making those into virtuals in QTlsBackend. After all, we ask the backend
// to return those pointers if the functionality is supported, but it's a bit odd to have
// this level of indirection. They are not parts of the classes above because ...
// you'd then have to ask backend to create a certificate to ... call those
// functions on a certificate.
using X509ChainVerifyPtr = QList<QSslError> (*)(const QList<QSslCertificate> &chain,
const QString &hostName);
using X509PemReaderPtr = QList<QSslCertificate> (*)(const QByteArray &pem, int count);
using X509DerReaderPtr = X509PemReaderPtr;
using X509Pkcs12ReaderPtr = bool (*)(QIODevice *device, QSslKey *key, QSslCertificate *cert,
QList<QSslCertificate> *caCertificates,
const QByteArray &passPhrase);
// TLS over TCP. Handshake, encryption/decryption.
class TlsCryptograph;
#if QT_CONFIG(dtls)
class DtlsBase
{
public:
virtual ~DtlsBase();
virtual void setDtlsError(QDtlsError code, const QString &description) = 0;
virtual QDtlsError error() const = 0;
virtual QString errorString() const = 0;
virtual void clearDtlsError() = 0;
virtual void setConfiguration(const QSslConfiguration &configuration) = 0;
virtual QSslConfiguration configuration() const = 0;
using GenParams = QDtlsClientVerifier::GeneratorParameters;
virtual bool setCookieGeneratorParameters(const GenParams ¶ms) = 0;
virtual GenParams cookieGeneratorParameters() const = 0;
};
// DTLS cookie: generation and verification.
class DtlsCookieVerifier : virtual public DtlsBase
{
public:
virtual bool verifyClient(QUdpSocket *socket, const QByteArray &dgram,
const QHostAddress &address, quint16 port) = 0;
virtual QByteArray verifiedHello() const = 0;
};
// TLS over UDP. Handshake, encryption/decryption.
class DtlsCryptograph : virtual public DtlsBase
{
public:
virtual QSslSocket::SslMode cryptographMode() const = 0;
virtual void setPeer(const QHostAddress &addr, quint16 port, const QString &name) = 0;
virtual QHostAddress peerAddress() const = 0;
virtual quint16 peerPort() const = 0;
virtual void setPeerVerificationName(const QString &name) = 0;
virtual QString peerVerificationName() const = 0;
virtual void setDtlsMtuHint(quint16 mtu) = 0;
virtual quint16 dtlsMtuHint() const = 0;
virtual QDtls::HandshakeState state() const = 0;
virtual bool isConnectionEncrypted() const = 0;
virtual bool startHandshake(QUdpSocket *socket, const QByteArray &dgram) = 0;
virtual bool handleTimeout(QUdpSocket *socket) = 0;
virtual bool continueHandshake(QUdpSocket *socket, const QByteArray &dgram) = 0;
virtual bool resumeHandshake(QUdpSocket *socket) = 0;
virtual void abortHandshake(QUdpSocket *socket) = 0;
virtual void sendShutdownAlert(QUdpSocket *socket) = 0;
virtual QList<QSslError> peerVerificationErrors() const = 0;
virtual void ignoreVerificationErrors(const QList<QSslError> &errorsToIgnore) = 0;
virtual QSslCipher dtlsSessionCipher() const = 0;
virtual QSsl::SslProtocol dtlsSessionProtocol() const = 0;
virtual qint64 writeDatagramEncrypted(QUdpSocket *socket, const QByteArray &dgram) = 0;
virtual QByteArray decryptDatagram(QUdpSocket *socket, const QByteArray &dgram) = 0;
};
#else
class DtlsCookieVerifier;
class DtlsCryptograph;
#endif // QT_CONFIG(dtls)
} // namespace QSsl
// Factory, creating back-end specific implementations of
// different entities QSslSocket is using.
class Q_NETWORK_EXPORT QTlsBackend : public QObject
{
Q_OBJECT
public:
QTlsBackend();
~QTlsBackend() override;
virtual bool isValid() const;
virtual QString backendName() const = 0;
virtual QList<QSsl::SslProtocol> supportedProtocols() const = 0;
virtual QList<QSsl::SupportedFeature> supportedFeatures() const = 0;
virtual QList<QSsl::ImplementedClass> implementedClasses() const = 0;
// X509 and keys:
virtual QSsl::TlsKey *createKey() const;
virtual QSsl::X509Certificate *createCertificate() const;
// TLS and DTLS:
virtual QSsl::TlsCryptograph *createTlsCryptograph() const;
virtual QSsl::DtlsCryptograph *createDtlsCryptograph(class QDtls *qObject, int mode) const;
virtual QSsl::DtlsCookieVerifier *createDtlsCookieVerifier() const;
// TLSTODO - get rid of these function pointers, make them virtuals in
// the backend itself. X509 machinery:
virtual QSsl::X509ChainVerifyPtr X509Verifier() const;
virtual QSsl::X509PemReaderPtr X509PemReader() const;
virtual QSsl::X509DerReaderPtr X509DerReader() const;
virtual QSsl::X509Pkcs12ReaderPtr X509Pkcs12Reader() const;
// Elliptic curves:
virtual QList<int> ellipticCurvesIds() const;
virtual int curveIdFromShortName(const QString &name) const;
virtual int curveIdFromLongName(const QString &name) const;
virtual QString shortNameForId(int cid) const;
virtual QString longNameForId(int cid) const;
virtual bool isTlsNamedCurve(int cid) const;
// TLSTODO: int->enum ugliness in error reporting.
// DH decoding:
virtual int dhParametersFromDer(const QByteArray &derData, QByteArray *data) const;
virtual int dhParametersFromPem(const QByteArray &pemData, QByteArray *data) const;
static QList<QString> availableBackendNames();
static QString defaultBackendName();
static QTlsBackend *findBackend(const QString &backendName);
static QTlsBackend *activeOrAnyBackend();
static QList<QSsl::SslProtocol> supportedProtocols(const QString &backendName);
static QList<QSsl::SupportedFeature> supportedFeatures(const QString &backendName);
static QList<QSsl::ImplementedClass> implementedClasses(const QString &backendName);
// Built-in, this is what Qt provides out of the box (depending on OS):
static constexpr const int nameIndexSchannel = 0;
static constexpr const int nameIndexSecureTransport = 1;
static constexpr const int nameIndexOpenSSL = 2;
static const QString builtinBackendNames[];
template<class DynamicType, class TLSObject>
static DynamicType *backend(const TLSObject &o)
{
return static_cast<DynamicType *>(o.backendImplementation());
}
static void resetBackend(QSslKey &key, QSsl::TlsKey *keyBackend);
Q_DISABLE_COPY_MOVE(QTlsBackend)
};
Q_DECLARE_LOGGING_CATEGORY(lcTlsBackend)
#define QTlsBackend_iid "org.qt-project.Qt.QTlsBackend"
Q_DECLARE_INTERFACE(QTlsBackend, QTlsBackend_iid);
QT_END_NAMESPACE
#endif // QTLSBACKEND_P_H
|
