1 | /**************************************************************************** |
2 | ** |
3 | ** Copyright (C) 2018 The Qt Company Ltd. |
4 | ** Contact: https://www.qt.io/licensing/ |
5 | ** |
6 | ** This file is part of the QtNetwork module of the Qt Toolkit. |
7 | ** |
8 | ** $QT_BEGIN_LICENSE:LGPL$ |
9 | ** Commercial License Usage |
10 | ** Licensees holding valid commercial Qt licenses may use this file in |
11 | ** accordance with the commercial license agreement provided with the |
12 | ** Software or, alternatively, in accordance with the terms contained in |
13 | ** a written agreement between you and The Qt Company. For licensing terms |
14 | ** and conditions see https://www.qt.io/terms-conditions. For further |
15 | ** information use the contact form at https://www.qt.io/contact-us. |
16 | ** |
17 | ** GNU Lesser General Public License Usage |
18 | ** Alternatively, this file may be used under the terms of the GNU Lesser |
19 | ** General Public License version 3 as published by the Free Software |
20 | ** Foundation and appearing in the file LICENSE.LGPL3 included in the |
21 | ** packaging of this file. Please review the following information to |
22 | ** ensure the GNU Lesser General Public License version 3 requirements |
23 | ** will be met: https://www.gnu.org/licenses/lgpl-3.0.html. |
24 | ** |
25 | ** GNU General Public License Usage |
26 | ** Alternatively, this file may be used under the terms of the GNU |
27 | ** General Public License version 2.0 or (at your option) the GNU General |
28 | ** Public license version 3 or any later version approved by the KDE Free |
29 | ** Qt Foundation. The licenses are as published by the Free Software |
30 | ** Foundation and appearing in the file LICENSE.GPL2 and LICENSE.GPL3 |
31 | ** included in the packaging of this file. Please review the following |
32 | ** information to ensure the GNU General Public License requirements will |
33 | ** be met: https://www.gnu.org/licenses/gpl-2.0.html and |
34 | ** https://www.gnu.org/licenses/gpl-3.0.html. |
35 | ** |
36 | ** $QT_END_LICENSE$ |
37 | ** |
38 | ****************************************************************************/ |
39 | |
40 | #ifndef NOMINMAX |
41 | #define NOMINMAX |
42 | #endif // NOMINMAX |
43 | #include "private/qnativesocketengine_p.h" |
44 | |
45 | #include "qsslpresharedkeyauthenticator_p.h" |
46 | #include "qsslsocket_openssl_symbols_p.h" |
47 | #include "qsslsocket_openssl_p.h" |
48 | #include "qsslcertificate_p.h" |
49 | #include "qdtls_openssl_p.h" |
50 | #include "qudpsocket.h" |
51 | #include "qssl_p.h" |
52 | |
53 | #include "qmessageauthenticationcode.h" |
54 | #include "qcryptographichash.h" |
55 | |
56 | #include "qdebug.h" |
57 | |
58 | #include <cstring> |
59 | #include <cstddef> |
60 | |
61 | QT_BEGIN_NAMESPACE |
62 | |
63 | #define QT_DTLS_VERBOSE 0 |
64 | |
65 | #if QT_DTLS_VERBOSE |
66 | |
67 | #define qDtlsWarning(arg) qWarning(arg) |
68 | #define qDtlsDebug(arg) qDebug(arg) |
69 | |
70 | #else |
71 | |
72 | #define qDtlsWarning(arg) |
73 | #define qDtlsDebug(arg) |
74 | |
75 | #endif // QT_DTLS_VERBOSE |
76 | |
77 | namespace dtlsutil |
78 | { |
79 | |
80 | QByteArray cookie_for_peer(SSL *ssl) |
81 | { |
82 | Q_ASSERT(ssl); |
83 | |
84 | // SSL_get_rbio does not increment the reference count |
85 | BIO *readBIO = q_SSL_get_rbio(s: ssl); |
86 | if (!readBIO) { |
87 | qCWarning(lcSsl, "No BIO (dgram) found in SSL object" ); |
88 | return {}; |
89 | } |
90 | |
91 | auto listener = static_cast<dtlsopenssl::DtlsState *>(q_BIO_get_app_data(readBIO)); |
92 | if (!listener) { |
93 | qCWarning(lcSsl, "BIO_get_app_data returned invalid (nullptr) value" ); |
94 | return {}; |
95 | } |
96 | |
97 | const QHostAddress peerAddress(listener->remoteAddress); |
98 | const quint16 peerPort(listener->remotePort); |
99 | QByteArray peerData; |
100 | if (peerAddress.protocol() == QAbstractSocket::IPv6Protocol) { |
101 | const Q_IPV6ADDR sin6_addr(peerAddress.toIPv6Address()); |
102 | peerData.resize(size: int(sizeof sin6_addr + sizeof peerPort)); |
103 | char *dst = peerData.data(); |
104 | std::memcpy(dest: dst, src: &peerPort, n: sizeof peerPort); |
105 | dst += sizeof peerPort; |
106 | std::memcpy(dest: dst, src: &sin6_addr, n: sizeof sin6_addr); |
107 | } else if (peerAddress.protocol() == QAbstractSocket::IPv4Protocol) { |
108 | const quint32 sin_addr(peerAddress.toIPv4Address()); |
109 | peerData.resize(size: int(sizeof sin_addr + sizeof peerPort)); |
110 | char *dst = peerData.data(); |
111 | std::memcpy(dest: dst, src: &peerPort, n: sizeof peerPort); |
112 | dst += sizeof peerPort; |
113 | std::memcpy(dest: dst, src: &sin_addr, n: sizeof sin_addr); |
114 | } else { |
115 | Q_UNREACHABLE(); |
116 | } |
117 | |
118 | return peerData; |
119 | } |
120 | |
121 | struct FallbackCookieSecret |
122 | { |
123 | FallbackCookieSecret() |
124 | { |
125 | key.resize(size: 32); |
126 | const int status = q_RAND_bytes(b: reinterpret_cast<unsigned char *>(key.data()), |
127 | n: key.size()); |
128 | if (status <= 0) |
129 | key.clear(); |
130 | } |
131 | |
132 | QByteArray key; |
133 | |
134 | Q_DISABLE_COPY(FallbackCookieSecret) |
135 | }; |
136 | |
137 | QByteArray fallbackSecret() |
138 | { |
139 | static const FallbackCookieSecret generator; |
140 | return generator.key; |
141 | } |
142 | |
143 | int next_timeoutMs(SSL *tlsConnection) |
144 | { |
145 | Q_ASSERT(tlsConnection); |
146 | timeval timeLeft = {}; |
147 | q_DTLSv1_get_timeout(tlsConnection, &timeLeft); |
148 | return timeLeft.tv_sec * 1000; |
149 | } |
150 | |
151 | |
152 | void delete_connection(SSL *ssl) |
153 | { |
154 | // The 'deleter' for QSharedPointer<SSL>. |
155 | if (ssl) |
156 | q_SSL_free(a: ssl); |
157 | } |
158 | |
159 | void delete_BIO_ADDR(BIO_ADDR *bio) |
160 | { |
161 | // A deleter for QSharedPointer<BIO_ADDR> |
162 | if (bio) |
163 | q_BIO_ADDR_free(ap: bio); |
164 | } |
165 | |
166 | void delete_bio_method(BIO_METHOD *method) |
167 | { |
168 | // The 'deleter' for QSharedPointer<BIO_METHOD>. |
169 | if (method) |
170 | q_BIO_meth_free(biom: method); |
171 | } |
172 | |
173 | // The path MTU discovery is non-trivial: it's a mix of getsockopt/setsockopt |
174 | // (IP_MTU/IP6_MTU/IP_MTU_DISCOVER) and fallback MTU values. It's not |
175 | // supported on all platforms, worse so - imposes specific requirements on |
176 | // underlying UDP socket etc. So for now, we either try a user-proposed MTU |
177 | // hint or rely on our own fallback value. As a fallback mtu OpenSSL uses 576 |
178 | // for IPv4 and 1280 for IPv6 (RFC 791, RFC 2460). To KIS we use 576. This |
179 | // rather small MTU value does not affect the size that can be read/written |
180 | // by QDtls, only a handshake (which is allowed to fragment). |
181 | enum class MtuGuess : long |
182 | { |
183 | defaultMtu = 576 |
184 | }; |
185 | |
186 | } // namespace dtlsutil |
187 | |
188 | namespace dtlscallbacks |
189 | { |
190 | |
191 | extern "C" int q_generate_cookie_callback(SSL *ssl, unsigned char *dst, |
192 | unsigned *cookieLength) |
193 | { |
194 | if (!ssl || !dst || !cookieLength) { |
195 | qCWarning(lcSsl, |
196 | "Failed to generate cookie - invalid (nullptr) parameter(s)" ); |
197 | return 0; |
198 | } |
199 | |
200 | void *generic = q_SSL_get_ex_data(ssl, idx: QSslSocketBackendPrivate::s_indexForSSLExtraData); |
201 | if (!generic) { |
202 | qCWarning(lcSsl, "SSL_get_ex_data returned nullptr, cannot generate cookie" ); |
203 | return 0; |
204 | } |
205 | |
206 | *cookieLength = 0; |
207 | |
208 | auto dtls = static_cast<dtlsopenssl::DtlsState *>(generic); |
209 | if (!dtls->secret.size()) |
210 | return 0; |
211 | |
212 | const QByteArray peerData(dtlsutil::cookie_for_peer(ssl)); |
213 | if (!peerData.size()) |
214 | return 0; |
215 | |
216 | QMessageAuthenticationCode hmac(dtls->hashAlgorithm, dtls->secret); |
217 | hmac.addData(data: peerData); |
218 | const QByteArray cookie = hmac.result(); |
219 | Q_ASSERT(cookie.size() >= 0); |
220 | // DTLS1_COOKIE_LENGTH is erroneously 256 bytes long, must be 255 - RFC 6347, 4.2.1. |
221 | *cookieLength = qMin(DTLS1_COOKIE_LENGTH - 1, b: cookie.size()); |
222 | std::memcpy(dest: dst, src: cookie.constData(), n: *cookieLength); |
223 | |
224 | return 1; |
225 | } |
226 | |
227 | extern "C" int q_verify_cookie_callback(SSL *ssl, const unsigned char *cookie, |
228 | unsigned cookieLength) |
229 | { |
230 | if (!ssl || !cookie || !cookieLength) { |
231 | qCWarning(lcSsl, "Could not verify cookie, invalid (nullptr or zero) parameters" ); |
232 | return 0; |
233 | } |
234 | |
235 | unsigned char newCookie[DTLS1_COOKIE_LENGTH] = {}; |
236 | unsigned newCookieLength = 0; |
237 | if (q_generate_cookie_callback(ssl, dst: newCookie, cookieLength: &newCookieLength) != 1) |
238 | return 0; |
239 | |
240 | return newCookieLength == cookieLength |
241 | && !std::memcmp(s1: cookie, s2: newCookie, n: cookieLength); |
242 | } |
243 | |
244 | extern "C" int q_X509DtlsCallback(int ok, X509_STORE_CTX *ctx) |
245 | { |
246 | if (!ok) { |
247 | // Store the error and at which depth the error was detected. |
248 | SSL *ssl = static_cast<SSL *>(q_X509_STORE_CTX_get_ex_data(ctx, idx: q_SSL_get_ex_data_X509_STORE_CTX_idx())); |
249 | if (!ssl) { |
250 | qCWarning(lcSsl, "X509_STORE_CTX_get_ex_data returned nullptr, handshake failure" ); |
251 | return 0; |
252 | } |
253 | |
254 | void *generic = q_SSL_get_ex_data(ssl, idx: QSslSocketBackendPrivate::s_indexForSSLExtraData); |
255 | if (!generic) { |
256 | qCWarning(lcSsl, "SSL_get_ex_data returned nullptr, handshake failure" ); |
257 | return 0; |
258 | } |
259 | |
260 | auto dtls = static_cast<dtlsopenssl::DtlsState *>(generic); |
261 | dtls->x509Errors.append(t: QSslErrorEntry::fromStoreContext(ctx)); |
262 | } |
263 | |
264 | // Always return 1 (OK) to allow verification to continue. We handle the |
265 | // errors gracefully after collecting all errors, after verification has |
266 | // completed. |
267 | return 1; |
268 | } |
269 | |
270 | extern "C" unsigned q_PSK_client_callback(SSL *ssl, const char *hint, char *identity, |
271 | unsigned max_identity_len, unsigned char *psk, |
272 | unsigned max_psk_len) |
273 | { |
274 | auto *dtls = static_cast<dtlsopenssl::DtlsState *>(q_SSL_get_ex_data(ssl, |
275 | idx: QSslSocketBackendPrivate::s_indexForSSLExtraData)); |
276 | if (!dtls) |
277 | return 0; |
278 | |
279 | Q_ASSERT(dtls->dtlsPrivate); |
280 | return dtls->dtlsPrivate->pskClientCallback(hint, identity, max_identity_len, psk, max_psk_len); |
281 | } |
282 | |
283 | extern "C" unsigned q_PSK_server_callback(SSL *ssl, const char *identity, unsigned char *psk, |
284 | unsigned max_psk_len) |
285 | { |
286 | auto *dtls = static_cast<dtlsopenssl::DtlsState *>(q_SSL_get_ex_data(ssl, |
287 | idx: QSslSocketBackendPrivate::s_indexForSSLExtraData)); |
288 | if (!dtls) |
289 | return 0; |
290 | |
291 | Q_ASSERT(dtls->dtlsPrivate); |
292 | return dtls->dtlsPrivate->pskServerCallback(identity, psk, max_psk_len); |
293 | } |
294 | |
295 | } // namespace dtlscallbacks |
296 | |
297 | namespace dtlsbio |
298 | { |
299 | |
300 | extern "C" int q_dgram_read(BIO *bio, char *dst, int bytesToRead) |
301 | { |
302 | if (!bio || !dst || bytesToRead <= 0) { |
303 | qCWarning(lcSsl, "invalid input parameter(s)" ); |
304 | return 0; |
305 | } |
306 | |
307 | q_BIO_clear_retry_flags(bio); |
308 | |
309 | auto dtls = static_cast<dtlsopenssl::DtlsState *>(q_BIO_get_app_data(bio)); |
310 | // It's us who set data, if OpenSSL does too, the logic here is wrong |
311 | // then and we have to use BIO_set_app_data then! |
312 | Q_ASSERT(dtls); |
313 | int bytesRead = 0; |
314 | if (dtls->dgram.size()) { |
315 | bytesRead = qMin(a: dtls->dgram.size(), b: bytesToRead); |
316 | std::memcpy(dest: dst, src: dtls->dgram.constData(), n: bytesRead); |
317 | |
318 | if (!dtls->peeking) |
319 | dtls->dgram = dtls->dgram.mid(index: bytesRead); |
320 | } else { |
321 | bytesRead = -1; |
322 | } |
323 | |
324 | if (bytesRead <= 0) |
325 | q_BIO_set_retry_read(bio); |
326 | |
327 | return bytesRead; |
328 | } |
329 | |
330 | extern "C" int q_dgram_write(BIO *bio, const char *src, int bytesToWrite) |
331 | { |
332 | if (!bio || !src || bytesToWrite <= 0) { |
333 | qCWarning(lcSsl, "invalid input parameter(s)" ); |
334 | return 0; |
335 | } |
336 | |
337 | q_BIO_clear_retry_flags(bio); |
338 | |
339 | auto dtls = static_cast<dtlsopenssl::DtlsState *>(q_BIO_get_app_data(bio)); |
340 | Q_ASSERT(dtls); |
341 | if (dtls->writeSuppressed) { |
342 | // See the comment in QDtls::startHandshake. |
343 | return bytesToWrite; |
344 | } |
345 | |
346 | QUdpSocket *udpSocket = dtls->udpSocket; |
347 | Q_ASSERT(udpSocket); |
348 | |
349 | const QByteArray dgram(QByteArray::fromRawData(src, size: bytesToWrite)); |
350 | qint64 bytesWritten = -1; |
351 | if (udpSocket->state() == QAbstractSocket::ConnectedState) { |
352 | bytesWritten = udpSocket->write(data: dgram); |
353 | } else { |
354 | bytesWritten = udpSocket->writeDatagram(datagram: dgram, host: dtls->remoteAddress, |
355 | port: dtls->remotePort); |
356 | } |
357 | |
358 | if (bytesWritten <= 0) |
359 | q_BIO_set_retry_write(bio); |
360 | |
361 | Q_ASSERT(bytesWritten <= std::numeric_limits<int>::max()); |
362 | return int(bytesWritten); |
363 | } |
364 | |
365 | extern "C" int q_dgram_puts(BIO *bio, const char *src) |
366 | { |
367 | if (!bio || !src) { |
368 | qCWarning(lcSsl, "invalid input parameter(s)" ); |
369 | return 0; |
370 | } |
371 | |
372 | return q_dgram_write(bio, src, bytesToWrite: int(std::strlen(s: src))); |
373 | } |
374 | |
375 | extern "C" long q_dgram_ctrl(BIO *bio, int cmd, long num, void *ptr) |
376 | { |
377 | // This is our custom BIO_ctrl. bio.h defines a lot of BIO_CTRL_* |
378 | // and BIO_* constants and BIO_somename macros that expands to BIO_ctrl |
379 | // call with one of those constants as argument. What exactly BIO_ctrl |
380 | // does - depends on the 'cmd' and the type of BIO (so BIO_ctrl does |
381 | // not even have a single well-defined value meaning success or failure). |
382 | // We handle only the most generic commands - the ones documented for |
383 | // BIO_ctrl - and also DGRAM specific ones. And even for them - in most |
384 | // cases we do nothing but report a success or some non-error value. |
385 | // Documents also state: "Source/sink BIOs return an 0 if they do not |
386 | // recognize the BIO_ctrl() operation." - these are covered by 'default' |
387 | // label in the switch-statement below. Debug messages in the switch mean: |
388 | // 1) we got a command that is unexpected for dgram BIO, or: |
389 | // 2) we do not call any function that would lead to OpenSSL using this |
390 | // command. |
391 | |
392 | if (!bio) { |
393 | qDebug(catFunc: lcSsl, msg: "invalid 'bio' parameter (nullptr)" ); |
394 | return -1; |
395 | } |
396 | |
397 | auto dtls = static_cast<dtlsopenssl::DtlsState *>(q_BIO_get_app_data(bio)); |
398 | Q_ASSERT(dtls); |
399 | |
400 | switch (cmd) { |
401 | // Let's start from the most generic ones, in the order in which they are |
402 | // documented (as BIO_ctrl): |
403 | case BIO_CTRL_RESET: |
404 | // BIO_reset macro. |
405 | // From documentation: |
406 | // "BIO_reset() normally returns 1 for success and 0 or -1 for failure. |
407 | // File BIOs are an exception, they return 0 for success and -1 for |
408 | // failure." |
409 | // We have nothing to reset and we are not file BIO. |
410 | return 1; |
411 | case BIO_C_FILE_SEEK: |
412 | case BIO_C_FILE_TELL: |
413 | qDtlsWarning("Unexpected cmd (BIO_C_FILE_SEEK/BIO_C_FILE_TELL)" ); |
414 | // These are for BIO_seek, BIO_tell. We are not a file BIO. |
415 | // Non-negative return value means success. |
416 | return 0; |
417 | case BIO_CTRL_FLUSH: |
418 | // BIO_flush, nothing to do, we do not buffer any data. |
419 | // 0 or -1 means error, 1 - success. |
420 | return 1; |
421 | case BIO_CTRL_EOF: |
422 | qDtlsWarning("Unexpected cmd (BIO_CTRL_EOF)" ); |
423 | // BIO_eof, 1 means EOF read. Makes no sense for us. |
424 | return 0; |
425 | case BIO_CTRL_SET_CLOSE: |
426 | // BIO_set_close with BIO_CLOSE/BIO_NOCLOSE flags. Documented as |
427 | // always returning 1. |
428 | // From the documentation: |
429 | // "Typically BIO_CLOSE is used in a source/sink BIO to indicate that |
430 | // the underlying I/O stream should be closed when the BIO is freed." |
431 | // |
432 | // QUdpSocket we work with is not BIO's business, ignoring. |
433 | return 1; |
434 | case BIO_CTRL_GET_CLOSE: |
435 | // BIO_get_close. No, never, see the comment above. |
436 | return 0; |
437 | case BIO_CTRL_PENDING: |
438 | qDtlsWarning("Unexpected cmd (BIO_CTRL_PENDING)" ); |
439 | // BIO_pending. Not used by DTLS/OpenSSL (we are not buffering). |
440 | return 0; |
441 | case BIO_CTRL_WPENDING: |
442 | // No, we have nothing buffered. |
443 | return 0; |
444 | // The constants below are not documented as a part BIO_ctrl documentation, |
445 | // but they are also not type-specific. |
446 | case BIO_CTRL_DUP: |
447 | qDtlsWarning("Unexpected cmd (BIO_CTRL_DUP)" ); |
448 | // BIO_dup_state, not used by DTLS (and socket-related BIOs in general). |
449 | // For some very specific BIO type this 'cmd' would copy some state |
450 | // from 'bio' to (BIO*)'ptr'. 1 means success. |
451 | return 0; |
452 | case BIO_CTRL_SET_CALLBACK: |
453 | qDtlsWarning("Unexpected cmd (BIO_CTRL_SET_CALLBACK)" ); |
454 | // BIO_set_info_callback. We never call this, OpenSSL does not do this |
455 | // on its own (normally it's used if client code wants to have some |
456 | // debug information, for example, dumping handshake state via |
457 | // BIO_printf from SSL info_callback). |
458 | return 0; |
459 | case BIO_CTRL_GET_CALLBACK: |
460 | qDtlsWarning("Unexpected cmd (BIO_CTRL_GET_CALLBACK)" ); |
461 | // BIO_get_info_callback. We never call this. |
462 | if (ptr) |
463 | *static_cast<bio_info_cb **>(ptr) = nullptr; |
464 | return 0; |
465 | case BIO_CTRL_SET: |
466 | case BIO_CTRL_GET: |
467 | qDtlsWarning("Unexpected cmd (BIO_CTRL_SET/BIO_CTRL_GET)" ); |
468 | // Somewhat 'documented' as setting/getting IO type. Not used anywhere |
469 | // except BIO_buffer_get_num_lines (which contradics 'get IO type'). |
470 | // Ignoring. |
471 | return 0; |
472 | // DGRAM-specific operation, we have to return some reasonable value |
473 | // (so far, I've encountered only peek mode switching, connect). |
474 | case BIO_CTRL_DGRAM_CONNECT: |
475 | // BIO_ctrl_dgram_connect. Not needed. Our 'dtls' already knows |
476 | // the peer's address/port. Report success though. |
477 | return 1; |
478 | case BIO_CTRL_DGRAM_SET_CONNECTED: |
479 | qDtlsWarning("Unexpected cmd (BIO_CTRL_DGRAM_SET_CONNECTED)" ); |
480 | // BIO_ctrl_dgram_set_connected. We never call it, OpenSSL does |
481 | // not call it on its own (so normally it's done by client code). |
482 | // Similar to BIO_CTRL_DGRAM_CONNECT, but it also informs the BIO |
483 | // that its UDP socket is connected. We never need it though. |
484 | return -1; |
485 | case BIO_CTRL_DGRAM_SET_RECV_TIMEOUT: |
486 | qDtlsWarning("Unexpected cmd (BIO_CTRL_DGRAM_SET_RECV_TIMEOUT)" ); |
487 | // Essentially setsockopt with SO_RCVTIMEO, not needed, our sockets |
488 | // are non-blocking. |
489 | return -1; |
490 | case BIO_CTRL_DGRAM_GET_RECV_TIMEOUT: |
491 | qDtlsWarning("Unexpected cmd (BIO_CTRL_DGRAM_GET_RECV_TIMEOUT)" ); |
492 | // getsockopt with SO_RCVTIMEO, not needed, our sockets are |
493 | // non-blocking. ptr is timeval *. |
494 | return -1; |
495 | case BIO_CTRL_DGRAM_SET_SEND_TIMEOUT: |
496 | qDtlsWarning("Unexpected cmd (BIO_CTRL_DGRAM_SET_SEND_TIMEOUT)" ); |
497 | // setsockopt, SO_SNDTIMEO, cannot happen. |
498 | return -1; |
499 | case BIO_CTRL_DGRAM_GET_SEND_TIMEOUT: |
500 | qDtlsWarning("Unexpected cmd (BIO_CTRL_DGRAM_GET_SEND_TIMEOUT)" ); |
501 | // getsockopt, SO_SNDTIMEO, cannot happen. |
502 | return -1; |
503 | case BIO_CTRL_DGRAM_GET_RECV_TIMER_EXP: |
504 | // BIO_dgram_recv_timedout. No, we are non-blocking. |
505 | return 0; |
506 | case BIO_CTRL_DGRAM_GET_SEND_TIMER_EXP: |
507 | // BIO_dgram_send_timedout. No, we are non-blocking. |
508 | return 0; |
509 | case BIO_CTRL_DGRAM_MTU_DISCOVER: |
510 | qDtlsWarning("Unexpected cmd (BIO_CTRL_DGRAM_MTU_DISCOVER)" ); |
511 | // setsockopt, IP_MTU_DISCOVER/IP6_MTU_DISCOVER, to be done |
512 | // in QUdpSocket instead. OpenSSL never calls it, only client |
513 | // code. |
514 | return 1; |
515 | case BIO_CTRL_DGRAM_QUERY_MTU: |
516 | qDtlsWarning("Unexpected cmd (BIO_CTRL_DGRAM_QUERY_MTU)" ); |
517 | // To be done in QUdpSocket instead. |
518 | return 1; |
519 | case BIO_CTRL_DGRAM_GET_FALLBACK_MTU: |
520 | qDtlsWarning("Unexpected command *BIO_CTRL_DGRAM_GET_FALLBACK_MTU)" ); |
521 | // Without SSL_OP_NO_QUERY_MTU set on SSL, OpenSSL can request for |
522 | // fallback MTU after several re-transmissions. |
523 | // Should never happen in our case. |
524 | return long(dtlsutil::MtuGuess::defaultMtu); |
525 | case BIO_CTRL_DGRAM_GET_MTU: |
526 | qDtlsWarning("Unexpected cmd (BIO_CTRL_DGRAM_GET_MTU)" ); |
527 | return -1; |
528 | case BIO_CTRL_DGRAM_SET_MTU: |
529 | qDtlsWarning("Unexpected cmd (BIO_CTRL_DGRAM_SET_MTU)" ); |
530 | // Should not happen (we don't call BIO_ctrl with this parameter) |
531 | // and set MTU on SSL instead. |
532 | return -1; // num is mtu and it's a return value meaning success. |
533 | case BIO_CTRL_DGRAM_MTU_EXCEEDED: |
534 | qDtlsWarning("Unexpected cmd (BIO_CTRL_DGRAM_MTU_EXCEEDED)" ); |
535 | return 0; |
536 | case BIO_CTRL_DGRAM_GET_PEER: |
537 | qDtlsDebug("BIO_CTRL_DGRAM_GET_PEER" ); |
538 | // BIO_dgram_get_peer. We do not return a real address (DTLS is not |
539 | // using this address), but let's pretend a success. |
540 | switch (dtls->remoteAddress.protocol()) { |
541 | case QAbstractSocket::IPv6Protocol: |
542 | return sizeof(sockaddr_in6); |
543 | case QAbstractSocket::IPv4Protocol: |
544 | return sizeof(sockaddr_in); |
545 | default: |
546 | return -1; |
547 | } |
548 | case BIO_CTRL_DGRAM_SET_PEER: |
549 | // Similar to BIO_CTRL_DGRAM_CONNECTED. |
550 | return 1; |
551 | case BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT: |
552 | // DTLSTODO: I'm not sure yet, how it's used by OpenSSL. |
553 | return 1; |
554 | case BIO_CTRL_DGRAM_SET_DONT_FRAG: |
555 | qDtlsDebug("BIO_CTRL_DGRAM_SET_DONT_FRAG" ); |
556 | // To be done in QUdpSocket, it's about IP_DONTFRAG etc. |
557 | return 1; |
558 | case BIO_CTRL_DGRAM_GET_MTU_OVERHEAD: |
559 | // AFAIK it's 28 for IPv4 and 48 for IPv6, but let's pretend it's 0 |
560 | // so that OpenSSL does not start suddenly fragmenting the first |
561 | // client hello (which will result in DTLSv1_listen rejecting it). |
562 | return 0; |
563 | case BIO_CTRL_DGRAM_SET_PEEK_MODE: |
564 | dtls->peeking = num; |
565 | return 1; |
566 | default:; |
567 | #if QT_DTLS_VERBOSE |
568 | qWarning() << "Unexpected cmd (" << cmd << ")" ; |
569 | #endif |
570 | } |
571 | |
572 | return 0; |
573 | } |
574 | |
575 | extern "C" int q_dgram_create(BIO *bio) |
576 | { |
577 | |
578 | q_BIO_set_init(a: bio, init: 1); |
579 | // With a custom BIO you'd normally allocate some implementation-specific |
580 | // data and append it to this new BIO using BIO_set_data. We don't need |
581 | // it and thus q_dgram_destroy below is a noop. |
582 | return 1; |
583 | } |
584 | |
585 | extern "C" int q_dgram_destroy(BIO *bio) |
586 | { |
587 | Q_UNUSED(bio) |
588 | return 1; |
589 | } |
590 | |
591 | const char * const qdtlsMethodName = "qdtlsbio" ; |
592 | |
593 | } // namespace dtlsbio |
594 | |
595 | namespace dtlsopenssl |
596 | { |
597 | |
598 | bool DtlsState::init(QDtlsBasePrivate *dtlsBase, QUdpSocket *socket, |
599 | const QHostAddress &remote, quint16 port, |
600 | const QByteArray &receivedMessage) |
601 | { |
602 | Q_ASSERT(dtlsBase); |
603 | Q_ASSERT(socket); |
604 | |
605 | if (!tlsContext.data() && !initTls(dtlsBase)) |
606 | return false; |
607 | |
608 | udpSocket = socket; |
609 | |
610 | setLinkMtu(dtlsBase); |
611 | |
612 | dgram = receivedMessage; |
613 | remoteAddress = remote; |
614 | remotePort = port; |
615 | |
616 | // SSL_get_rbio does not increment a reference count. |
617 | BIO *bio = q_SSL_get_rbio(s: tlsConnection.data()); |
618 | Q_ASSERT(bio); |
619 | q_BIO_set_app_data(bio, this); |
620 | |
621 | return true; |
622 | } |
623 | |
624 | void DtlsState::reset() |
625 | { |
626 | tlsConnection.reset(); |
627 | tlsContext.reset(); |
628 | } |
629 | |
630 | bool DtlsState::initTls(QDtlsBasePrivate *dtlsBase) |
631 | { |
632 | if (tlsContext.data()) |
633 | return true; |
634 | |
635 | if (!QSslSocket::supportsSsl()) |
636 | return false; |
637 | |
638 | if (!initCtxAndConnection(dtlsBase)) |
639 | return false; |
640 | |
641 | if (!initBIO(dtlsBase)) { |
642 | tlsConnection.reset(); |
643 | tlsContext.reset(); |
644 | return false; |
645 | } |
646 | |
647 | return true; |
648 | } |
649 | |
650 | static QString msgFunctionFailed(const char *function) |
651 | { |
652 | //: %1: Some function |
653 | return QDtls::tr(s: "%1 failed" ).arg(a: QLatin1String(function)); |
654 | } |
655 | |
656 | bool DtlsState::initCtxAndConnection(QDtlsBasePrivate *dtlsBase) |
657 | { |
658 | Q_ASSERT(dtlsBase); |
659 | Q_ASSERT(QSslSocket::supportsSsl()); |
660 | |
661 | if (dtlsBase->mode == QSslSocket::UnencryptedMode) { |
662 | dtlsBase->setDtlsError(code: QDtlsError::TlsInitializationError, |
663 | description: QDtls::tr(s: "Invalid SslMode, SslServerMode or SslClientMode expected" )); |
664 | return false; |
665 | } |
666 | |
667 | if (!QDtlsBasePrivate::isDtlsProtocol(protocol: dtlsBase->dtlsConfiguration.protocol)) { |
668 | dtlsBase->setDtlsError(code: QDtlsError::TlsInitializationError, |
669 | description: QDtls::tr(s: "Invalid protocol version, DTLS protocol expected" )); |
670 | return false; |
671 | } |
672 | |
673 | // Create a deep copy of our configuration |
674 | auto configurationCopy = new QSslConfigurationPrivate(dtlsBase->dtlsConfiguration); |
675 | configurationCopy->ref.storeRelaxed(newValue: 0); // the QSslConfiguration constructor refs up |
676 | |
677 | // DTLSTODO: check we do not set something DTLS-incompatible there ... |
678 | TlsContext newContext(QSslContext::sharedFromConfiguration(mode: dtlsBase->mode, |
679 | configuration: configurationCopy, |
680 | allowRootCertOnDemandLoading: dtlsBase->dtlsConfiguration.allowRootCertOnDemandLoading)); |
681 | |
682 | if (newContext->error() != QSslError::NoError) { |
683 | dtlsBase->setDtlsError(code: QDtlsError::TlsInitializationError, description: newContext->errorString()); |
684 | return false; |
685 | } |
686 | |
687 | TlsConnection newConnection(newContext->createSsl(), dtlsutil::delete_connection); |
688 | if (!newConnection.data()) { |
689 | dtlsBase->setDtlsError(code: QDtlsError::TlsInitializationError, |
690 | description: msgFunctionFailed(function: "SSL_new" )); |
691 | return false; |
692 | } |
693 | |
694 | const int set = q_SSL_set_ex_data(ssl: newConnection.data(), |
695 | idx: QSslSocketBackendPrivate::s_indexForSSLExtraData, |
696 | arg: this); |
697 | |
698 | if (set != 1 && configurationCopy->peerVerifyMode != QSslSocket::VerifyNone) { |
699 | dtlsBase->setDtlsError(code: QDtlsError::TlsInitializationError, |
700 | description: msgFunctionFailed(function: "SSL_set_ex_data" )); |
701 | return false; |
702 | } |
703 | |
704 | if (dtlsBase->mode == QSslSocket::SslServerMode) { |
705 | if (dtlsBase->dtlsConfiguration.dtlsCookieEnabled) |
706 | q_SSL_set_options(s: newConnection.data(), SSL_OP_COOKIE_EXCHANGE); |
707 | q_SSL_set_psk_server_callback(ssl: newConnection.data(), callback: dtlscallbacks::q_PSK_server_callback); |
708 | } else { |
709 | q_SSL_set_psk_client_callback(ssl: newConnection.data(), callback: dtlscallbacks::q_PSK_client_callback); |
710 | } |
711 | |
712 | tlsContext.swap(other&: newContext); |
713 | tlsConnection.swap(other&: newConnection); |
714 | |
715 | return true; |
716 | } |
717 | |
718 | bool DtlsState::initBIO(QDtlsBasePrivate *dtlsBase) |
719 | { |
720 | Q_ASSERT(dtlsBase); |
721 | Q_ASSERT(tlsContext.data() && tlsConnection.data()); |
722 | |
723 | BioMethod customMethod(q_BIO_meth_new(BIO_TYPE_DGRAM, name: dtlsbio::qdtlsMethodName), |
724 | dtlsutil::delete_bio_method); |
725 | if (!customMethod.data()) { |
726 | dtlsBase->setDtlsError(code: QDtlsError::TlsInitializationError, |
727 | description: msgFunctionFailed(function: "BIO_meth_new" )); |
728 | return false; |
729 | } |
730 | |
731 | BIO_METHOD *biom = customMethod.data(); |
732 | q_BIO_meth_set_create(biom, dtlsbio::q_dgram_create); |
733 | q_BIO_meth_set_destroy(biom, dtlsbio::q_dgram_destroy); |
734 | q_BIO_meth_set_read(biom, dtlsbio::q_dgram_read); |
735 | q_BIO_meth_set_write(biom, dtlsbio::q_dgram_write); |
736 | q_BIO_meth_set_puts(biom, dtlsbio::q_dgram_puts); |
737 | q_BIO_meth_set_ctrl(biom, dtlsbio::q_dgram_ctrl); |
738 | |
739 | BIO *bio = q_BIO_new(a: biom); |
740 | if (!bio) { |
741 | dtlsBase->setDtlsError(code: QDtlsError::TlsInitializationError, |
742 | description: msgFunctionFailed(function: "BIO_new" )); |
743 | return false; |
744 | } |
745 | |
746 | q_SSL_set_bio(a: tlsConnection.data(), b: bio, c: bio); |
747 | |
748 | bioMethod.swap(other&: customMethod); |
749 | |
750 | return true; |
751 | } |
752 | |
753 | void DtlsState::setLinkMtu(QDtlsBasePrivate *dtlsBase) |
754 | { |
755 | Q_ASSERT(dtlsBase); |
756 | Q_ASSERT(udpSocket); |
757 | Q_ASSERT(tlsConnection.data()); |
758 | |
759 | long mtu = dtlsBase->mtuHint; |
760 | if (!mtu) { |
761 | // If the underlying QUdpSocket was connected, getsockopt with |
762 | // IP_MTU/IP6_MTU can give us some hint: |
763 | bool optionFound = false; |
764 | if (udpSocket->state() == QAbstractSocket::ConnectedState) { |
765 | const QVariant val(udpSocket->socketOption(option: QAbstractSocket::PathMtuSocketOption)); |
766 | if (val.isValid() && val.canConvert<int>()) |
767 | mtu = val.toInt(ok: &optionFound); |
768 | } |
769 | |
770 | if (!optionFound || mtu <= 0) { |
771 | // OK, our own initial guess. |
772 | mtu = long(dtlsutil::MtuGuess::defaultMtu); |
773 | } |
774 | } |
775 | |
776 | // For now, we disable this option. |
777 | q_SSL_set_options(s: tlsConnection.data(), SSL_OP_NO_QUERY_MTU); |
778 | |
779 | q_DTLS_set_link_mtu(tlsConnection.data(), mtu); |
780 | } |
781 | |
782 | } // namespace dtlsopenssl |
783 | |
784 | QDtlsClientVerifierOpenSSL::QDtlsClientVerifierOpenSSL() |
785 | { |
786 | secret = dtlsutil::fallbackSecret(); |
787 | } |
788 | |
789 | bool QDtlsClientVerifierOpenSSL::verifyClient(QUdpSocket *socket, const QByteArray &dgram, |
790 | const QHostAddress &address, quint16 port) |
791 | { |
792 | Q_ASSERT(socket); |
793 | Q_ASSERT(dgram.size()); |
794 | Q_ASSERT(!address.isNull()); |
795 | Q_ASSERT(port); |
796 | |
797 | clearDtlsError(); |
798 | verifiedClientHello.clear(); |
799 | |
800 | if (!dtls.init(dtlsBase: this, socket, remote: address, port, receivedMessage: dgram)) |
801 | return false; |
802 | |
803 | dtls.secret = secret; |
804 | dtls.hashAlgorithm = hashAlgorithm; |
805 | |
806 | Q_ASSERT(dtls.tlsConnection.data()); |
807 | QSharedPointer<BIO_ADDR> peer(q_BIO_ADDR_new(), dtlsutil::delete_BIO_ADDR); |
808 | if (!peer.data()) { |
809 | setDtlsError(code: QDtlsError::TlsInitializationError, |
810 | description: QDtlsClientVerifier::tr(s: "BIO_ADDR_new failed, ignoring client hello" )); |
811 | return false; |
812 | } |
813 | |
814 | const int ret = q_DTLSv1_listen(s: dtls.tlsConnection.data(), client: peer.data()); |
815 | if (ret < 0) { |
816 | // Since 1.1 - it's a fatal error (not so in 1.0.2 for non-blocking socket) |
817 | setDtlsError(code: QDtlsError::TlsFatalError, description: QSslSocketBackendPrivate::getErrorsFromOpenSsl()); |
818 | return false; |
819 | } |
820 | |
821 | if (ret > 0) { |
822 | verifiedClientHello = dgram; |
823 | return true; |
824 | } |
825 | |
826 | return false; |
827 | } |
828 | |
829 | void QDtlsPrivateOpenSSL::TimeoutHandler::start(int hintMs) |
830 | { |
831 | Q_ASSERT(timerId == -1); |
832 | timerId = startTimer(interval: hintMs > 0 ? hintMs : timeoutMs, timerType: Qt::PreciseTimer); |
833 | } |
834 | |
835 | void QDtlsPrivateOpenSSL::TimeoutHandler::doubleTimeout() |
836 | { |
837 | if (timeoutMs * 2 < 60000) |
838 | timeoutMs *= 2; |
839 | else |
840 | timeoutMs = 60000; |
841 | } |
842 | |
843 | void QDtlsPrivateOpenSSL::TimeoutHandler::stop() |
844 | { |
845 | if (timerId != -1) { |
846 | killTimer(id: timerId); |
847 | timerId = -1; |
848 | } |
849 | } |
850 | |
851 | void QDtlsPrivateOpenSSL::TimeoutHandler::timerEvent(QTimerEvent *event) |
852 | { |
853 | Q_UNUSED(event) |
854 | Q_ASSERT(timerId != -1); |
855 | |
856 | killTimer(id: timerId); |
857 | timerId = -1; |
858 | |
859 | Q_ASSERT(dtlsConnection); |
860 | dtlsConnection->reportTimeout(); |
861 | } |
862 | |
863 | QDtlsPrivateOpenSSL::QDtlsPrivateOpenSSL() |
864 | { |
865 | secret = dtlsutil::fallbackSecret(); |
866 | dtls.dtlsPrivate = this; |
867 | } |
868 | |
869 | bool QDtlsPrivateOpenSSL::startHandshake(QUdpSocket *socket, const QByteArray &dgram) |
870 | { |
871 | Q_ASSERT(socket); |
872 | Q_ASSERT(handshakeState == QDtls::HandshakeNotStarted); |
873 | |
874 | clearDtlsError(); |
875 | connectionEncrypted = false; |
876 | |
877 | if (!dtls.init(dtlsBase: this, socket, remote: remoteAddress, port: remotePort, receivedMessage: dgram)) |
878 | return false; |
879 | |
880 | if (mode == QSslSocket::SslServerMode && dtlsConfiguration.dtlsCookieEnabled) { |
881 | dtls.secret = secret; |
882 | dtls.hashAlgorithm = hashAlgorithm; |
883 | // Let's prepare the state machine so that message sequence 1 does not |
884 | // surprise DTLS/OpenSSL (such a message would be disregarded as |
885 | // 'stale or future' in SSL_accept otherwise): |
886 | int result = 0; |
887 | QSharedPointer<BIO_ADDR> peer(q_BIO_ADDR_new(), dtlsutil::delete_BIO_ADDR); |
888 | if (!peer.data()) { |
889 | setDtlsError(code: QDtlsError::TlsInitializationError, |
890 | description: QDtls::tr(s: "BIO_ADD_new failed, cannot start handshake" )); |
891 | return false; |
892 | } |
893 | |
894 | // If it's an invalid/unexpected ClientHello, we don't want to send |
895 | // VerifyClientRequest - it's a job of QDtlsClientVerifier - so we |
896 | // suppress any attempts to write into socket: |
897 | dtls.writeSuppressed = true; |
898 | result = q_DTLSv1_listen(s: dtls.tlsConnection.data(), client: peer.data()); |
899 | dtls.writeSuppressed = false; |
900 | |
901 | if (result <= 0) { |
902 | setDtlsError(code: QDtlsError::TlsFatalError, |
903 | description: QDtls::tr(s: "Cannot start the handshake, verified client hello expected" )); |
904 | dtls.reset(); |
905 | return false; |
906 | } |
907 | } |
908 | |
909 | handshakeState = QDtls::HandshakeInProgress; |
910 | opensslErrors.clear(); |
911 | tlsErrors.clear(); |
912 | |
913 | return continueHandshake(socket, datagram: dgram); |
914 | } |
915 | |
916 | bool QDtlsPrivateOpenSSL::continueHandshake(QUdpSocket *socket, const QByteArray &dgram) |
917 | { |
918 | Q_ASSERT(socket); |
919 | |
920 | Q_ASSERT(handshakeState == QDtls::HandshakeInProgress); |
921 | |
922 | clearDtlsError(); |
923 | |
924 | if (timeoutHandler.data()) |
925 | timeoutHandler->stop(); |
926 | |
927 | if (!dtls.init(dtlsBase: this, socket, remote: remoteAddress, port: remotePort, receivedMessage: dgram)) |
928 | return false; |
929 | |
930 | dtls.x509Errors.clear(); |
931 | |
932 | int result = 0; |
933 | if (mode == QSslSocket::SslServerMode) |
934 | result = q_SSL_accept(a: dtls.tlsConnection.data()); |
935 | else |
936 | result = q_SSL_connect(a: dtls.tlsConnection.data()); |
937 | |
938 | // DTLSTODO: Investigate/test if it makes sense - QSslSocket can emit |
939 | // peerVerifyError at this point (and thus potentially client code |
940 | // will close the underlying TCP connection immediately), but we are using |
941 | // QUdpSocket, no connection to close, our verification callback returns 1 |
942 | // (verified OK) and this probably means OpenSSL has already sent a reply |
943 | // to the server's hello/certificate. |
944 | |
945 | opensslErrors << dtls.x509Errors; |
946 | |
947 | if (result <= 0) { |
948 | const auto code = q_SSL_get_error(a: dtls.tlsConnection.data(), b: result); |
949 | switch (code) { |
950 | case SSL_ERROR_WANT_READ: |
951 | case SSL_ERROR_WANT_WRITE: |
952 | // DTLSTODO: to be tested - in principle, if it was the first call to |
953 | // continueHandshake and server for some reason discards the client |
954 | // hello message (even the verified one) - our 'this' will probably |
955 | // forever stay in this strange InProgress state? (the client |
956 | // will dully re-transmit the same hello and we discard it again?) |
957 | // SSL_get_state can provide more information about state |
958 | // machine and we can switch to NotStarted (since we have not |
959 | // replied with our hello ...) |
960 | if (!timeoutHandler.data()) { |
961 | timeoutHandler.reset(other: new TimeoutHandler); |
962 | timeoutHandler->dtlsConnection = this; |
963 | } else { |
964 | // Back to 1s. |
965 | timeoutHandler->resetTimeout(); |
966 | } |
967 | |
968 | timeoutHandler->start(); |
969 | |
970 | return true; // The handshake is not yet complete. |
971 | default: |
972 | storePeerCertificates(); |
973 | setDtlsError(code: QDtlsError::TlsFatalError, |
974 | description: QSslSocketBackendPrivate::msgErrorsDuringHandshake()); |
975 | dtls.reset(); |
976 | handshakeState = QDtls::HandshakeNotStarted; |
977 | return false; |
978 | } |
979 | } |
980 | |
981 | storePeerCertificates(); |
982 | fetchNegotiatedParameters(); |
983 | |
984 | const bool doVerifyPeer = dtlsConfiguration.peerVerifyMode == QSslSocket::VerifyPeer |
985 | || (dtlsConfiguration.peerVerifyMode == QSslSocket::AutoVerifyPeer |
986 | && mode == QSslSocket::SslClientMode); |
987 | |
988 | if (!doVerifyPeer || verifyPeer() || tlsErrorsWereIgnored()) { |
989 | connectionEncrypted = true; |
990 | handshakeState = QDtls::HandshakeComplete; |
991 | return true; |
992 | } |
993 | |
994 | setDtlsError(code: QDtlsError::PeerVerificationError, description: QDtls::tr(s: "Peer verification failed" )); |
995 | handshakeState = QDtls::PeerVerificationFailed; |
996 | return false; |
997 | } |
998 | |
999 | |
1000 | bool QDtlsPrivateOpenSSL::handleTimeout(QUdpSocket *socket) |
1001 | { |
1002 | Q_ASSERT(socket); |
1003 | |
1004 | Q_ASSERT(timeoutHandler.data()); |
1005 | Q_ASSERT(dtls.tlsConnection.data()); |
1006 | |
1007 | clearDtlsError(); |
1008 | |
1009 | dtls.udpSocket = socket; |
1010 | |
1011 | if (q_DTLSv1_handle_timeout(dtls.tlsConnection.data()) > 0) { |
1012 | timeoutHandler->doubleTimeout(); |
1013 | timeoutHandler->start(); |
1014 | } else { |
1015 | timeoutHandler->start(hintMs: dtlsutil::next_timeoutMs(tlsConnection: dtls.tlsConnection.data())); |
1016 | } |
1017 | |
1018 | return true; |
1019 | } |
1020 | |
1021 | bool QDtlsPrivateOpenSSL::resumeHandshake(QUdpSocket *socket) |
1022 | { |
1023 | Q_UNUSED(socket); |
1024 | Q_ASSERT(socket); |
1025 | Q_ASSERT(handshakeState == QDtls::PeerVerificationFailed); |
1026 | |
1027 | clearDtlsError(); |
1028 | |
1029 | if (tlsErrorsWereIgnored()) { |
1030 | handshakeState = QDtls::HandshakeComplete; |
1031 | connectionEncrypted = true; |
1032 | tlsErrors.clear(); |
1033 | tlsErrorsToIgnore.clear(); |
1034 | return true; |
1035 | } |
1036 | |
1037 | return false; |
1038 | } |
1039 | |
1040 | void QDtlsPrivateOpenSSL::abortHandshake(QUdpSocket *socket) |
1041 | { |
1042 | Q_ASSERT(socket); |
1043 | Q_ASSERT(handshakeState == QDtls::PeerVerificationFailed |
1044 | || handshakeState == QDtls::HandshakeInProgress); |
1045 | |
1046 | clearDtlsError(); |
1047 | |
1048 | if (handshakeState == QDtls::PeerVerificationFailed) { |
1049 | // Yes, while peer verification failed, we were actually encrypted. |
1050 | // Let's play it nice - inform our peer about connection shut down. |
1051 | sendShutdownAlert(socket); |
1052 | } else { |
1053 | resetDtls(); |
1054 | } |
1055 | } |
1056 | |
1057 | void QDtlsPrivateOpenSSL::sendShutdownAlert(QUdpSocket *socket) |
1058 | { |
1059 | Q_ASSERT(socket); |
1060 | |
1061 | clearDtlsError(); |
1062 | |
1063 | if (connectionEncrypted && !connectionWasShutdown) { |
1064 | dtls.udpSocket = socket; |
1065 | Q_ASSERT(dtls.tlsConnection.data()); |
1066 | q_SSL_shutdown(a: dtls.tlsConnection.data()); |
1067 | } |
1068 | |
1069 | resetDtls(); |
1070 | } |
1071 | |
1072 | qint64 QDtlsPrivateOpenSSL::writeDatagramEncrypted(QUdpSocket *socket, |
1073 | const QByteArray &dgram) |
1074 | { |
1075 | Q_ASSERT(socket); |
1076 | Q_ASSERT(dtls.tlsConnection.data()); |
1077 | Q_ASSERT(connectionEncrypted); |
1078 | |
1079 | clearDtlsError(); |
1080 | |
1081 | dtls.udpSocket = socket; |
1082 | const int written = q_SSL_write(a: dtls.tlsConnection.data(), |
1083 | b: dgram.constData(), c: dgram.size()); |
1084 | if (written > 0) |
1085 | return written; |
1086 | |
1087 | const unsigned long errorCode = q_ERR_get_error(); |
1088 | if (!dgram.size() && errorCode == SSL_ERROR_NONE) { |
1089 | // With OpenSSL <= 1.1 this can happen. For example, DTLS client |
1090 | // tries to reconnect (while re-using the same address/port) - |
1091 | // DTLS server drops a message with unexpected epoch but says - no |
1092 | // error. We leave to client code to resolve such problems until |
1093 | // OpenSSL provides something better. |
1094 | return 0; |
1095 | } |
1096 | |
1097 | switch (errorCode) { |
1098 | case SSL_ERROR_WANT_WRITE: |
1099 | case SSL_ERROR_WANT_READ: |
1100 | // We do not set any error/description ... a user can probably re-try |
1101 | // sending a datagram. |
1102 | break; |
1103 | case SSL_ERROR_ZERO_RETURN: |
1104 | connectionWasShutdown = true; |
1105 | setDtlsError(code: QDtlsError::TlsFatalError, description: QDtls::tr(s: "The DTLS connection has been closed" )); |
1106 | handshakeState = QDtls::HandshakeNotStarted; |
1107 | dtls.reset(); |
1108 | break; |
1109 | case SSL_ERROR_SYSCALL: |
1110 | case SSL_ERROR_SSL: |
1111 | default: |
1112 | // DTLSTODO: we don't know yet what to do. Tests needed - probably, |
1113 | // some errors can be just ignored (it's UDP, not TCP after all). |
1114 | // Unlike QSslSocket we do not abort though. |
1115 | QString description(QSslSocketBackendPrivate::getErrorsFromOpenSsl()); |
1116 | if (socket->error() != QAbstractSocket::UnknownSocketError && description.isEmpty()) { |
1117 | setDtlsError(code: QDtlsError::UnderlyingSocketError, description: socket->errorString()); |
1118 | } else { |
1119 | setDtlsError(code: QDtlsError::TlsFatalError, |
1120 | description: QDtls::tr(s: "Error while writing: %1" ).arg(a: description)); |
1121 | } |
1122 | } |
1123 | |
1124 | return -1; |
1125 | } |
1126 | |
1127 | QByteArray QDtlsPrivateOpenSSL::decryptDatagram(QUdpSocket *socket, const QByteArray &tlsdgram) |
1128 | { |
1129 | Q_ASSERT(socket); |
1130 | Q_ASSERT(tlsdgram.size()); |
1131 | |
1132 | Q_ASSERT(dtls.tlsConnection.data()); |
1133 | Q_ASSERT(connectionEncrypted); |
1134 | |
1135 | dtls.dgram = tlsdgram; |
1136 | dtls.udpSocket = socket; |
1137 | |
1138 | clearDtlsError(); |
1139 | |
1140 | QByteArray dgram; |
1141 | dgram.resize(size: tlsdgram.size()); |
1142 | const int read = q_SSL_read(a: dtls.tlsConnection.data(), b: dgram.data(), |
1143 | c: dgram.size()); |
1144 | |
1145 | if (read > 0) { |
1146 | dgram.resize(size: read); |
1147 | return dgram; |
1148 | } |
1149 | |
1150 | dgram.clear(); |
1151 | unsigned long errorCode = q_ERR_get_error(); |
1152 | if (errorCode == SSL_ERROR_NONE) { |
1153 | const int shutdown = q_SSL_get_shutdown(ssl: dtls.tlsConnection.data()); |
1154 | if (shutdown & SSL_RECEIVED_SHUTDOWN) |
1155 | errorCode = SSL_ERROR_ZERO_RETURN; |
1156 | else |
1157 | return dgram; |
1158 | } |
1159 | |
1160 | switch (errorCode) { |
1161 | case SSL_ERROR_WANT_READ: |
1162 | case SSL_ERROR_WANT_WRITE: |
1163 | return dgram; |
1164 | case SSL_ERROR_ZERO_RETURN: |
1165 | // "The connection was shut down cleanly" ... hmm, whatever, |
1166 | // needs testing (DTLSTODO). |
1167 | connectionWasShutdown = true; |
1168 | setDtlsError(code: QDtlsError::RemoteClosedConnectionError, |
1169 | description: QDtls::tr(s: "The DTLS connection has been shutdown" )); |
1170 | dtls.reset(); |
1171 | connectionEncrypted = false; |
1172 | handshakeState = QDtls::HandshakeNotStarted; |
1173 | return dgram; |
1174 | case SSL_ERROR_SYSCALL: // some IO error |
1175 | case SSL_ERROR_SSL: // error in the SSL library |
1176 | // DTLSTODO: Apparently, some errors can be ignored, for example, |
1177 | // ECONNRESET etc. This all needs a lot of testing!!! |
1178 | default: |
1179 | setDtlsError(code: QDtlsError::TlsNonFatalError, |
1180 | description: QDtls::tr(s: "Error while reading: %1" ) |
1181 | .arg(a: QSslSocketBackendPrivate::getErrorsFromOpenSsl())); |
1182 | return dgram; |
1183 | } |
1184 | } |
1185 | |
1186 | unsigned QDtlsPrivateOpenSSL::pskClientCallback(const char *hint, char *identity, |
1187 | unsigned max_identity_len, |
1188 | unsigned char *psk, |
1189 | unsigned max_psk_len) |
1190 | { |
1191 | // The code below is taken (with some modifications) from qsslsocket_openssl |
1192 | // - alas, we cannot simply re-use it, it's in QSslSocketPrivate. |
1193 | |
1194 | Q_Q(QDtls); |
1195 | |
1196 | { |
1197 | QSslPreSharedKeyAuthenticator authenticator; |
1198 | // Fill in some read-only fields (for client code) |
1199 | if (hint) { |
1200 | identityHint.clear(); |
1201 | identityHint.append(s: hint); |
1202 | // From the original code in QSslSocket: |
1203 | // "it's NULL terminated, but do not include the NULL" == this fromRawData(ptr/size). |
1204 | authenticator.d->identityHint = QByteArray::fromRawData(identityHint.constData(), |
1205 | size: int(std::strlen(s: hint))); |
1206 | } |
1207 | |
1208 | authenticator.d->maximumIdentityLength = int(max_identity_len) - 1; // needs to be NULL terminated |
1209 | authenticator.d->maximumPreSharedKeyLength = int(max_psk_len); |
1210 | |
1211 | pskAuthenticator.swap(other&: authenticator); |
1212 | } |
1213 | |
1214 | // Let the client provide the remaining bits... |
1215 | emit q->pskRequired(authenticator: &pskAuthenticator); |
1216 | |
1217 | // No PSK set? Return now to make the handshake fail |
1218 | if (pskAuthenticator.preSharedKey().isEmpty()) |
1219 | return 0; |
1220 | |
1221 | // Copy data back into OpenSSL |
1222 | const int identityLength = qMin(a: pskAuthenticator.identity().length(), |
1223 | b: pskAuthenticator.maximumIdentityLength()); |
1224 | std::memcpy(dest: identity, src: pskAuthenticator.identity().constData(), n: identityLength); |
1225 | identity[identityLength] = 0; |
1226 | |
1227 | const int pskLength = qMin(a: pskAuthenticator.preSharedKey().length(), |
1228 | b: pskAuthenticator.maximumPreSharedKeyLength()); |
1229 | std::memcpy(dest: psk, src: pskAuthenticator.preSharedKey().constData(), n: pskLength); |
1230 | |
1231 | return pskLength; |
1232 | } |
1233 | |
1234 | unsigned QDtlsPrivateOpenSSL::pskServerCallback(const char *identity, unsigned char *psk, |
1235 | unsigned max_psk_len) |
1236 | { |
1237 | Q_Q(QDtls); |
1238 | |
1239 | { |
1240 | QSslPreSharedKeyAuthenticator authenticator; |
1241 | // Fill in some read-only fields (for the user) |
1242 | authenticator.d->identityHint = dtlsConfiguration.preSharedKeyIdentityHint; |
1243 | authenticator.d->identity = identity; |
1244 | authenticator.d->maximumIdentityLength = 0; // user cannot set an identity |
1245 | authenticator.d->maximumPreSharedKeyLength = int(max_psk_len); |
1246 | |
1247 | pskAuthenticator.swap(other&: authenticator); |
1248 | } |
1249 | |
1250 | // Let the client provide the remaining bits... |
1251 | emit q->pskRequired(authenticator: &pskAuthenticator); |
1252 | |
1253 | // No PSK set? Return now to make the handshake fail |
1254 | if (pskAuthenticator.preSharedKey().isEmpty()) |
1255 | return 0; |
1256 | |
1257 | // Copy data back into OpenSSL |
1258 | const int pskLength = qMin(a: pskAuthenticator.preSharedKey().length(), |
1259 | b: pskAuthenticator.maximumPreSharedKeyLength()); |
1260 | |
1261 | std::memcpy(dest: psk, src: pskAuthenticator.preSharedKey().constData(), n: pskLength); |
1262 | |
1263 | return pskLength; |
1264 | } |
1265 | |
1266 | // The definition is located in qsslsocket_openssl.cpp. |
1267 | QSslError _q_OpenSSL_to_QSslError(int errorCode, const QSslCertificate &cert); |
1268 | |
1269 | bool QDtlsPrivateOpenSSL::verifyPeer() |
1270 | { |
1271 | // DTLSTODO: Windows-specific code for CA fetcher is not here yet. |
1272 | QVector<QSslError> errors; |
1273 | |
1274 | // Check the whole chain for blacklisting (including root, as we check for |
1275 | // subjectInfo and issuer) |
1276 | for (const QSslCertificate &cert : qAsConst(t&: dtlsConfiguration.peerCertificateChain)) { |
1277 | if (QSslCertificatePrivate::isBlacklisted(certificate: cert)) |
1278 | errors << QSslError(QSslError::CertificateBlacklisted, cert); |
1279 | } |
1280 | |
1281 | if (dtlsConfiguration.peerCertificate.isNull()) { |
1282 | errors << QSslError(QSslError::NoPeerCertificate); |
1283 | } else if (mode == QSslSocket::SslClientMode) { |
1284 | // Check the peer certificate itself. First try the subject's common name |
1285 | // (CN) as a wildcard, then try all alternate subject name DNS entries the |
1286 | // same way. |
1287 | |
1288 | // QSslSocket has a rather twisted logic: if verificationPeerName |
1289 | // is empty, we call QAbstractSocket::peerName(), which returns |
1290 | // either peerName (can be set by setPeerName) or host name |
1291 | // (can be set as a result of connectToHost). |
1292 | QString name = peerVerificationName; |
1293 | if (name.isEmpty()) { |
1294 | Q_ASSERT(dtls.udpSocket); |
1295 | name = dtls.udpSocket->peerName(); |
1296 | } |
1297 | |
1298 | if (!QSslSocketPrivate::isMatchingHostname(cert: dtlsConfiguration.peerCertificate, peerName: name)) |
1299 | errors << QSslError(QSslError::HostNameMismatch, dtlsConfiguration.peerCertificate); |
1300 | } |
1301 | |
1302 | // Translate errors from the error list into QSslErrors |
1303 | errors.reserve(asize: errors.size() + opensslErrors.size()); |
1304 | for (const auto &error : qAsConst(t&: opensslErrors)) { |
1305 | errors << _q_OpenSSL_to_QSslError(errorCode: error.code, |
1306 | cert: dtlsConfiguration.peerCertificateChain.value(i: error.depth)); |
1307 | } |
1308 | |
1309 | tlsErrors = errors; |
1310 | return tlsErrors.isEmpty(); |
1311 | } |
1312 | |
1313 | void QDtlsPrivateOpenSSL::storePeerCertificates() |
1314 | { |
1315 | Q_ASSERT(dtls.tlsConnection.data()); |
1316 | // Store the peer certificate and chain. For clients, the peer certificate |
1317 | // chain includes the peer certificate; for servers, it doesn't. Both the |
1318 | // peer certificate and the chain may be empty if the peer didn't present |
1319 | // any certificate. |
1320 | X509 *x509 = q_SSL_get_peer_certificate(a: dtls.tlsConnection.data()); |
1321 | dtlsConfiguration.peerCertificate = QSslCertificatePrivate::QSslCertificate_from_X509(x509); |
1322 | q_X509_free(a: x509); |
1323 | if (dtlsConfiguration.peerCertificateChain.isEmpty()) { |
1324 | auto stack = q_SSL_get_peer_cert_chain(a: dtls.tlsConnection.data()); |
1325 | dtlsConfiguration.peerCertificateChain = QSslSocketBackendPrivate::STACKOFX509_to_QSslCertificates(x509: stack); |
1326 | if (!dtlsConfiguration.peerCertificate.isNull() && mode == QSslSocket::SslServerMode) |
1327 | dtlsConfiguration.peerCertificateChain.prepend(t: dtlsConfiguration.peerCertificate); |
1328 | } |
1329 | } |
1330 | |
1331 | bool QDtlsPrivateOpenSSL::tlsErrorsWereIgnored() const |
1332 | { |
1333 | // check whether the errors we got are all in the list of expected errors |
1334 | // (applies only if the method QDtlsConnection::ignoreTlsErrors(const |
1335 | // QVector<QSslError> &errors) was called) |
1336 | for (const QSslError &error : tlsErrors) { |
1337 | if (!tlsErrorsToIgnore.contains(t: error)) |
1338 | return false; |
1339 | } |
1340 | |
1341 | return !tlsErrorsToIgnore.empty(); |
1342 | } |
1343 | |
1344 | void QDtlsPrivateOpenSSL::fetchNegotiatedParameters() |
1345 | { |
1346 | Q_ASSERT(dtls.tlsConnection.data()); |
1347 | |
1348 | const SSL_CIPHER *cipher = q_SSL_get_current_cipher(a: dtls.tlsConnection.data()); |
1349 | sessionCipher = cipher ? QSslSocketBackendPrivate::QSslCipher_from_SSL_CIPHER(cipher) |
1350 | : QSslCipher(); |
1351 | |
1352 | // Note: cipher's protocol version will be reported as either TLS 1.0 or |
1353 | // TLS 1.2, that's how it's set by OpenSSL (and that's what they are?). |
1354 | |
1355 | switch (q_SSL_version(a: dtls.tlsConnection.data())) { |
1356 | case DTLS1_VERSION: |
1357 | sessionProtocol = QSsl::DtlsV1_0; |
1358 | break; |
1359 | case DTLS1_2_VERSION: |
1360 | sessionProtocol = QSsl::DtlsV1_2; |
1361 | break; |
1362 | default: |
1363 | qCWarning(lcSsl, "unknown protocol version" ); |
1364 | sessionProtocol = QSsl::UnknownProtocol; |
1365 | } |
1366 | } |
1367 | |
1368 | void QDtlsPrivateOpenSSL::reportTimeout() |
1369 | { |
1370 | Q_Q(QDtls); |
1371 | |
1372 | emit q->handshakeTimeout(); |
1373 | } |
1374 | |
1375 | void QDtlsPrivateOpenSSL::resetDtls() |
1376 | { |
1377 | dtls.reset(); |
1378 | connectionEncrypted = false; |
1379 | tlsErrors.clear(); |
1380 | tlsErrorsToIgnore.clear(); |
1381 | dtlsConfiguration.peerCertificate.clear(); |
1382 | dtlsConfiguration.peerCertificateChain.clear(); |
1383 | connectionWasShutdown = false; |
1384 | handshakeState = QDtls::HandshakeNotStarted; |
1385 | sessionCipher = {}; |
1386 | sessionProtocol = QSsl::UnknownProtocol; |
1387 | } |
1388 | |
1389 | QT_END_NAMESPACE |
1390 | |