qdtls.cpp

Go to the documentation of this file.

/****************************************************************************
**
** Copyright (C) 2018 The Qt Company Ltd.
** Contact: https://www.qt.io/licensing/
**
** This file is part of the QtNetwork module of the Qt Toolkit.
**
** $QT_BEGIN_LICENSE:LGPL$
** Commercial License Usage
** Licensees holding valid commercial Qt licenses may use this file in
** accordance with the commercial license agreement provided with the
** Software or, alternatively, in accordance with the terms contained in
** a written agreement between you and The Qt Company. For licensing terms
** and conditions see https://www.qt.io/terms-conditions. For further
** information use the contact form at https://www.qt.io/contact-us.
**
** GNU Lesser General Public License Usage
** Alternatively, this file may be used under the terms of the GNU Lesser
** General Public License version 3 as published by the Free Software
** Foundation and appearing in the file LICENSE.LGPL3 included in the
** packaging of this file. Please review the following information to
** ensure the GNU Lesser General Public License version 3 requirements
** will be met: https://www.gnu.org/licenses/lgpl-3.0.html.
**
** GNU General Public License Usage
** Alternatively, this file may be used under the terms of the GNU
** General Public License version 2.0 or (at your option) the GNU General
** Public license version 3 or any later version approved by the KDE Free
** Qt Foundation. The licenses are as published by the Free Software
** Foundation and appearing in the file LICENSE.GPL2 and LICENSE.GPL3
** included in the packaging of this file. Please review the following
** information to ensure the GNU General Public License requirements will
** be met: https://www.gnu.org/licenses/gpl-2.0.html and
** https://www.gnu.org/licenses/gpl-3.0.html.
**
** $QT_END_LICENSE$
**
****************************************************************************/
 
#include "qsslconfiguration.h"
#include "qsslsocket_p.h"
#include "qudpsocket.h"
#include "qsslcipher.h"
#include "qdtls_p.h"
#include "qssl_p.h"
#include "qdtls.h"
 
#include "qglobal.h"
 
QT_BEGIN_NAMESPACE
 
static QString msgUnsupportedMulticastAddress()
{
    return QDtls::tr("Multicast and broadcast addresses are not supported");
}
 
QDtlsClientVerifier::GeneratorParameters::GeneratorParameters()
{
}
 
QDtlsClientVerifier::GeneratorParameters::GeneratorParameters(QCryptographicHash::Algorithm algorithm, const QByteArray &secret)
    : hash(algorithm), secret(secret)
{
}
 
QDtlsClientVerifierPrivate::QDtlsClientVerifierPrivate()
{
    const auto *tlsBackend = QSslSocketPrivate::tlsBackendInUse();
    if (!tlsBackend) {
        qCWarning(lcSsl, "No TLS backend is available, cannot verify DTLS client");
        return;
    }
    backend.reset(tlsBackend->createDtlsCookieVerifier());
    if (!backend.get())
        qCWarning(lcSsl) << "The backend" << tlsBackend->backendName() << "does not support DTLS cookies";
}
 
QDtlsClientVerifierPrivate::~QDtlsClientVerifierPrivate() = default;
 
QDtlsClientVerifier::QDtlsClientVerifier(QObject *parent)
    : QObject(*new QDtlsClientVerifierPrivate, parent)
{
    Q_D(QDtlsClientVerifier);
 
    if (auto *backend = d->backend.get()) {
        // The default configuration suffices: verifier never does a full
        // handshake and upon verifying a cookie in a client hello message,
        // it reports success.
        auto conf = QSslConfiguration::defaultDtlsConfiguration();
        conf.setPeerVerifyMode(QSslSocket::VerifyNone);
        backend->setConfiguration(conf);
    }
}
 
QDtlsClientVerifier::~QDtlsClientVerifier()
{
}
 
bool QDtlsClientVerifier::setCookieGeneratorParameters(const GeneratorParameters &params)
{
    Q_D(QDtlsClientVerifier);
    if (auto *backend = d->backend.get())
        return backend->setCookieGeneratorParameters(params);
 
    return false;
}
 
QDtlsClientVerifier::GeneratorParameters QDtlsClientVerifier::cookieGeneratorParameters() const
{
    Q_D(const QDtlsClientVerifier);
 
    if (const auto *backend = d->backend.get())
        return backend->cookieGeneratorParameters();
 
    return {};
}
 
bool QDtlsClientVerifier::verifyClient(QUdpSocket *socket, const QByteArray &dgram,
                                       const QHostAddress &address, quint16 port)
{
    Q_D(QDtlsClientVerifier);
 
    auto *backend = d->backend.get();
    if (!backend)
        return false;
 
    if (!socket || address.isNull() || !dgram.size()) {
        backend->setDtlsError(QDtlsError::InvalidInputParameters,
                              tr("A valid UDP socket, non-empty datagram, and valid address/port were expected"));
        return false;
    }
 
    if (address.isBroadcast() || address.isMulticast()) {
        backend->setDtlsError(QDtlsError::InvalidInputParameters,
                              msgUnsupportedMulticastAddress());
        return false;
    }
 
    return backend->verifyClient(socket, dgram, address, port);
}
 
QByteArray QDtlsClientVerifier::verifiedHello() const
{
    Q_D(const QDtlsClientVerifier);
 
    if (const auto *backend = d->backend.get())
        return backend->verifiedHello();
 
    return {};
}
 
QDtlsError QDtlsClientVerifier::dtlsError() const
{
    Q_D(const QDtlsClientVerifier);
 
    if (const auto *backend = d->backend.get())
        return backend->error();
 
    return QDtlsError::TlsInitializationError;
}
 
QString QDtlsClientVerifier::dtlsErrorString() const
{
    Q_D(const QDtlsClientVerifier);
 
    if (const auto *backend = d->backend.get())
        return backend->errorString();
 
    return QStringLiteral("No TLS backend is available, no client verification");
}
 
QDtlsPrivate::QDtlsPrivate() = default;
QDtlsPrivate::~QDtlsPrivate() = default;
 
QDtls::QDtls(QSslSocket::SslMode mode, QObject *parent)
    : QObject(*new QDtlsPrivate, parent)
{
    Q_D(QDtls);
    const auto *tlsBackend = QSslSocketPrivate::tlsBackendInUse();
    if (!tlsBackend) {
        qCWarning(lcSsl, "No TLS backend found, QDtls is unsupported");
        return;
    }
    d->backend.reset(tlsBackend->createDtlsCryptograph(this, mode));
    if (!d->backend.get()) {
        qCWarning(lcSsl) << "TLS backend" << tlsBackend->backendName()
                         << "does not support the protocol DTLS";
    }
    setDtlsConfiguration(QSslConfiguration::defaultDtlsConfiguration());
}
 
QDtls::~QDtls()
{
}
 
bool QDtls::setPeer(const QHostAddress &address, quint16 port,
                    const QString &verificationName)
{
    Q_D(QDtls);
 
    auto *backend = d->backend.get();
    if (!backend)
        return false;
 
    if (backend->state() != HandshakeNotStarted) {
        backend->setDtlsError(QDtlsError::InvalidOperation,
                              tr("Cannot set peer after handshake started"));
        return false;
    }
 
    if (address.isNull()) {
        backend->setDtlsError(QDtlsError::InvalidInputParameters,
                              tr("Invalid address"));
        return false;
    }
 
    if (address.isBroadcast() || address.isMulticast()) {
        backend->setDtlsError(QDtlsError::InvalidInputParameters,
                              msgUnsupportedMulticastAddress());
        return false;
    }
 
    backend->clearDtlsError();
    backend->setPeer(address, port, verificationName);
 
    return true;
}
 
bool QDtls::setPeerVerificationName(const QString &name)
{
    Q_D(QDtls);
 
    auto *backend = d->backend.get();
    if (!backend)
        return false;
 
    if (backend->state() != HandshakeNotStarted) {
        backend->setDtlsError(QDtlsError::InvalidOperation,
                        tr("Cannot set verification name after handshake started"));
        return false;
    }
 
    backend->clearDtlsError();
    backend->setPeerVerificationName(name);
 
    return true;
}
 
QHostAddress QDtls::peerAddress() const
{
    Q_D(const QDtls);
 
    if (const auto *backend = d->backend.get())
        return backend->peerAddress();
 
    return {};
}
 
quint16 QDtls::peerPort() const
{
    Q_D(const QDtls);
 
    if (const auto *backend = d->backend.get())
        return backend->peerPort();
 
    return 0;
}
 
QString QDtls::peerVerificationName() const
{
    Q_D(const QDtls);
 
    if (const auto *backend = d->backend.get())
        return backend->peerVerificationName();
 
    return {};
}
 
QSslSocket::SslMode QDtls::sslMode() const
{
    Q_D(const QDtls);
 
    if (const auto *backend = d->backend.get())
        return backend->cryptographMode();
 
    return QSslSocket::UnencryptedMode;
}
 
void QDtls::setMtuHint(quint16 mtuHint)
{
    Q_D(QDtls);
 
    if (auto *backend = d->backend.get())
        backend->setDtlsMtuHint(mtuHint);
}
 
quint16 QDtls::mtuHint() const
{
    Q_D(const QDtls);
 
    if (const auto *backend = d->backend.get())
        return backend->dtlsMtuHint();
 
    return 0;
}
 
bool QDtls::setCookieGeneratorParameters(const GeneratorParameters &params)
{
    Q_D(QDtls);
 
    if (auto *backend = d->backend.get())
        backend->setCookieGeneratorParameters(params);
 
    return false;
}
 
QDtls::GeneratorParameters QDtls::cookieGeneratorParameters() const
{
    Q_D(const QDtls);
 
    if (const auto *backend = d->backend.get())
        return backend->cookieGeneratorParameters();
 
    return {};
}
 
bool QDtls::setDtlsConfiguration(const QSslConfiguration &configuration)
{
    Q_D(QDtls);
 
    auto *backend = d->backend.get();
    if (!backend)
        return false;
 
    if (backend->state() != HandshakeNotStarted) {
        backend->setDtlsError(QDtlsError::InvalidOperation,
                              tr("Cannot set configuration after handshake started"));
        return false;
    }
 
    backend->setConfiguration(configuration);
    return true;
}
 
QSslConfiguration QDtls::dtlsConfiguration() const
{
    Q_D(const QDtls);
    if (const auto *backend = d->backend.get())
        return backend->configuration();
 
    return {};
}
 
QDtls::HandshakeState QDtls::handshakeState()const
{
    Q_D(const QDtls);
 
    if (const auto *backend = d->backend.get())
        return backend->state();
 
    return QDtls::HandshakeNotStarted;
}
 
bool QDtls::doHandshake(QUdpSocket *socket, const QByteArray &dgram)
{
    Q_D(QDtls);
 
    auto *backend = d->backend.get();
    if (!backend)
        return false;
 
    if (backend->state() == HandshakeNotStarted)
        return startHandshake(socket, dgram);
    else if (backend->state() == HandshakeInProgress)
        return continueHandshake(socket, dgram);
 
    backend->setDtlsError(QDtlsError::InvalidOperation,
                          tr("Cannot start/continue handshake, invalid handshake state"));
    return false;
}
 
bool QDtls::startHandshake(QUdpSocket *socket, const QByteArray &datagram)
{
    Q_D(QDtls);
 
    auto *backend = d->backend.get();
    if (!backend)
        return false;
 
    if (!socket) {
        backend->setDtlsError(QDtlsError::InvalidInputParameters, tr("Invalid (nullptr) socket"));
        return false;
    }
 
    if (backend->peerAddress().isNull()) {
        backend->setDtlsError(QDtlsError::InvalidOperation,
                              tr("To start a handshake you must set peer's address and port first"));
        return false;
    }
 
    if (sslMode() == QSslSocket::SslServerMode && !datagram.size()) {
        backend->setDtlsError(QDtlsError::InvalidInputParameters,
                              tr("To start a handshake, DTLS server requires non-empty datagram (client hello)"));
        return false;
    }
 
    if (backend->state() != HandshakeNotStarted) {
        backend->setDtlsError(QDtlsError::InvalidOperation,
                              tr("Cannot start handshake, already done/in progress"));
        return false;
    }
 
    return backend->startHandshake(socket, datagram);
}
 
bool QDtls::handleTimeout(QUdpSocket *socket)
{
    Q_D(QDtls);
 
    auto *backend = d->backend.get();
    if (!backend)
        return false;
 
    if (!socket) {
        backend->setDtlsError(QDtlsError::InvalidInputParameters, tr("Invalid (nullptr) socket"));
        return false;
    }
 
    return backend->handleTimeout(socket);
}
 
bool QDtls::continueHandshake(QUdpSocket *socket, const QByteArray &datagram)
{
    Q_D(QDtls);
 
    auto *backend = d->backend.get();
    if (!backend)
        return false;
 
    if (!socket || !datagram.size()) {
        backend->setDtlsError(QDtlsError::InvalidInputParameters,
                              tr("A valid QUdpSocket and non-empty datagram are needed to continue the handshake"));
        return false;
    }
 
    if (backend->state() != HandshakeInProgress) {
        backend->setDtlsError(QDtlsError::InvalidOperation,
                              tr("Cannot continue handshake, not in InProgress state"));
        return false;
    }
 
    return backend->continueHandshake(socket, datagram);
}
 
bool QDtls::resumeHandshake(QUdpSocket *socket)
{
    Q_D(QDtls);
 
    auto *backend = d->backend.get();
    if (!backend)
        return false;
 
    if (!socket) {
        backend->setDtlsError(QDtlsError::InvalidInputParameters, tr("Invalid (nullptr) socket"));
        return false;
    }
 
    if (backend->state() != PeerVerificationFailed) {
        backend->setDtlsError(QDtlsError::InvalidOperation,
                              tr("Cannot resume, not in VerificationError state"));
        return false;
    }
 
    return backend->resumeHandshake(socket);
}
 
bool QDtls::abortHandshake(QUdpSocket *socket)
{
    Q_D(QDtls);
 
    auto *backend = d->backend.get();
    if (!backend)
        return false;
 
    if (!socket) {
        backend->setDtlsError(QDtlsError::InvalidInputParameters, tr("Invalid (nullptr) socket"));
        return false;
    }
 
    if (backend->state() != PeerVerificationFailed && backend->state() != HandshakeInProgress) {
        backend->setDtlsError(QDtlsError::InvalidOperation,
                              tr("No handshake in progress, nothing to abort"));
        return false;
    }
 
    backend->abortHandshake(socket);
    return true;
}
 
bool QDtls::shutdown(QUdpSocket *socket)
{
    Q_D(QDtls);
 
    auto *backend = d->backend.get();
    if (!backend)
        return false;
 
    if (!socket) {
        backend->setDtlsError(QDtlsError::InvalidInputParameters,
                              tr("Invalid (nullptr) socket"));
        return false;
    }
 
    if (!backend->isConnectionEncrypted()) {
        backend->setDtlsError(QDtlsError::InvalidOperation,
                              tr("Cannot send shutdown alert, not encrypted"));
        return false;
    }
 
    backend->sendShutdownAlert(socket);
    return true;
}
 
bool QDtls::isConnectionEncrypted() const
{
    Q_D(const QDtls);
 
 
    if (const auto *backend = d->backend.get())
        return backend->isConnectionEncrypted();
 
    return false;
}
 
QSslCipher QDtls::sessionCipher() const
{
    Q_D(const QDtls);
 
    if (const auto *backend = d->backend.get())
        return backend->dtlsSessionCipher();
 
    return {};
}
 
QSsl::SslProtocol QDtls::sessionProtocol() const
{
    Q_D(const QDtls);
 
    if (const auto *backend = d->backend.get())
        return backend->dtlsSessionProtocol();
 
    return QSsl::UnknownProtocol;
}
 
qint64 QDtls::writeDatagramEncrypted(QUdpSocket *socket, const QByteArray &dgram)
{
    Q_D(QDtls);
 
    auto *backend = d->backend.get();
    if (!backend)
        return -1;
 
    if (!socket) {
        backend->setDtlsError(QDtlsError::InvalidInputParameters, tr("Invalid (nullptr) socket"));
        return -1;
    }
 
    if (!isConnectionEncrypted()) {
        backend->setDtlsError(QDtlsError::InvalidOperation,
                              tr("Cannot write a datagram, not in encrypted state"));
        return -1;
    }
 
    return backend->writeDatagramEncrypted(socket, dgram);
}
 
QByteArray QDtls::decryptDatagram(QUdpSocket *socket, const QByteArray &dgram)
{
    Q_D(QDtls);
 
    auto *backend = d->backend.get();
    if (!backend)
        return {};
 
    if (!socket) {
        backend->setDtlsError(QDtlsError::InvalidInputParameters, tr("Invalid (nullptr) socket"));
        return {};
    }
 
    if (!isConnectionEncrypted()) {
        backend->setDtlsError(QDtlsError::InvalidOperation,
                              tr("Cannot read a datagram, not in encrypted state"));
        return {};
    }
 
    if (!dgram.size())
        return {};
 
    return backend->decryptDatagram(socket, dgram);
}
 
QDtlsError QDtls::dtlsError() const
{
    Q_D(const QDtls);
 
    if (const auto *backend = d->backend.get())
        return backend->error();
 
    return QDtlsError::NoError;
}
 
QString QDtls::dtlsErrorString() const
{
    Q_D(const QDtls);
 
    if (const auto *backend = d->backend.get())
        return backend->errorString();
 
    return {};
}
 
QList<QSslError> QDtls::peerVerificationErrors() const
{
    Q_D(const QDtls);
 
    if (const auto *backend = d->backend.get())
        return backend->peerVerificationErrors();
 
    //return d->tlsErrors;
    return {};
}
 
void QDtls::ignoreVerificationErrors(const QList<QSslError> &errorsToIgnore)
{
    Q_D(QDtls);
 
    if (auto *backend = d->backend.get())
        backend->ignoreVerificationErrors(errorsToIgnore);
}
 
QT_END_NAMESPACE