32 #ifndef QCA_SECURELAYER_H
33 #define QCA_SECURELAYER_H
149 virtual void write(
const QByteArray &a) = 0;
348 explicit TLS(
QObject *parent =
nullptr,
const QString &provider = QString());
361 explicit TLS(
Mode mode,
QObject *parent =
nullptr,
const QString &provider = QString());
688 void write(
const QByteArray &a)
override;
800 friend class Private;
869 AuthFlagsNone = 0x00,
871 AllowAnonymous = 0x02,
872 RequireForwardSecrecy = 0x04,
873 RequirePassCredentials = 0x08,
874 RequireMutualAuth = 0x10,
875 RequireAuthzidSupport = 0x20
883 AllowClientSendFirst,
884 DisableClientSendFirst
893 DisableServerSendLast
922 Params(
bool user,
bool authzid,
bool pass,
bool realm);
972 explicit SASL(
QObject *parent =
nullptr,
const QString &provider = QString());
1055 const QString &host,
1056 const QStringList &mechlist,
1071 const QString &host,
1072 const QString &realm,
1180 void write(
const QByteArray &a)
override;
1237 void authCheck(
const QString &user,
const QString &authzid);
1245 Q_DISABLE_COPY(
SASL)
1248 friend class Private;
General superclass for an algorithm.
Definition: qca_core.h:1164
A chain of related Certificates.
Definition: qca_cert.h:1226
Bundle of Certificates and CRLs.
Definition: qca_cert.h:1929
Certificate chain and private key pair.
Definition: qca_cert.h:2176
Generic private key.
Definition: qca_publickey.h:833
Parameter flags for the SASL authentication.
Definition: qca_securelayer.h:907
bool needPassword() const
Password is needed.
bool canSendAuthzid() const
An Authorization ID can be sent if desired.
Params & operator=(const Params &from)
Standard assignment operator.
bool needUsername() const
User is needed.
bool canSendRealm() const
A Realm can be sent if desired.
Params(bool user, bool authzid, bool pass, bool realm)
Standard constructor.
Params(const Params &from)
Standard copy constructor.
Simple Authentication and Security Layer protocol implementation.
Definition: qca_securelayer.h:832
void startServer(const QString &service, const QString &host, const QString &realm, ServerSendMode mode=DisableServerSendLast)
Initialise the server side of the connection.
void putServerFirstStep(const QString &mech)
Process the first step in server mode (server)
void setUsername(const QString &user)
Specify the username to use in authentication.
void setExternalSSF(int strength)
Specify a security strength factor for an externally secured connection.
Error errorCode() const
Return the error code.
void authCheck(const QString &user, const QString &authzid)
This signal is emitted when the server needs to perform the authentication check.
void continueAfterParams()
Continue negotiation after parameters have been set (client)
void write(const QByteArray &a) override
This method writes unencrypted (plain) data to the SecureLayer implementation.
void startClient(const QString &service, const QString &host, const QStringList &mechlist, ClientSendMode mode=AllowClientSendFirst)
Initialise the client side of the connection.
int convertBytesWritten(qint64 encryptedBytes) override
Convert encrypted bytes written to plain text bytes written.
SASL(QObject *parent=nullptr, const QString &provider=QString())
Standard constructor.
void setConstraints(AuthFlags f, SecurityLevel s=SL_None)
Specify connection constraints.
void setAuthzid(const QString &auth)
Specify the authorization identity to use in authentication.
void nextStep(const QByteArray &stepData)
This signal is emitted when there is data required to be sent over the network to complete the next s...
void continueAfterAuthCheck()
Continue negotiation after auth ids have been checked (server)
void writeIncoming(const QByteArray &a) override
This method accepts encoded (typically encrypted) data for processing.
AuthCondition
Possible authentication error states.
Definition: qca_securelayer.h:849
@ NeedEncrypt
Encryption is needed in order to use mechanism (server side only)
Definition: qca_securelayer.h:857
@ TooWeak
Mechanism too weak for this user (server side only)
Definition: qca_securelayer.h:856
@ AuthFail
Generic authentication failure.
Definition: qca_securelayer.h:850
@ BadProtocol
Bad protocol or cancelled.
Definition: qca_securelayer.h:852
@ NoUser
User not found (server side only)
Definition: qca_securelayer.h:860
@ NoMechanism
No compatible/appropriate authentication mechanism.
Definition: qca_securelayer.h:851
@ BadServer
Server failed mutual authentication (client side only)
Definition: qca_securelayer.h:853
@ Expired
Passphrase expired, has to be reset (server side only)
Definition: qca_securelayer.h:858
@ Disabled
Account is disabled (server side only)
Definition: qca_securelayer.h:859
@ BadAuth
Authentication failure (server side only)
Definition: qca_securelayer.h:854
@ NoAuthzid
Authorization failure (server side only)
Definition: qca_securelayer.h:855
ServerSendMode
Mode options for server side sending.
Definition: qca_securelayer.h:891
QString mechanism() const
Return the mechanism selected (client)
void serverStarted()
This signal is emitted after the server has been successfully started.
void setPassword(const SecureArray &pass)
Specify the password to use in authentication.
void setExternalAuthId(const QString &authid)
Specify the id of the externally secured connection.
QStringList realmList() const
Return the realm list, if available (client)
int bytesOutgoingAvailable() const override
Returns the number of bytes available to be readOutgoing() on the network side.
void clientStarted(bool clientInit, const QByteArray &clientInitData)
This signal is emitted when the client has been successfully started.
QByteArray read() override
This method reads decrypted (plain) data from the SecureLayer implementation.
ClientSendMode
Mode options for client side sending.
Definition: qca_securelayer.h:882
void needParams(const QCA::SASL::Params ¶ms)
This signal is emitted when the client needs additional parameters.
QStringList mechanismList() const
Return the mechanism list (server)
Error
Possible errors that may occur when using SASL.
Definition: qca_securelayer.h:839
@ ErrorInit
problem starting up SASL
Definition: qca_securelayer.h:840
@ ErrorHandshake
problem during the authentication process
Definition: qca_securelayer.h:841
int ssf() const
Return the security strength factor of the connection.
void setRemoteAddress(const QString &addr, quint16 port)
Specify the peer address.
void setConstraints(AuthFlags f, int minSSF, int maxSSF)
This is an overloaded member function, provided for convenience. It differs from the above function o...
void putServerFirstStep(const QString &mech, const QByteArray &clientInit)
Process the first step in server mode (server)
void setRealm(const QString &realm)
Specify the realm to use in authentication.
void reset()
Reset the SASL mechanism.
int bytesAvailable() const override
Returns the number of bytes available to be read() on the application side.
AuthCondition authCondition() const
Return the reason for authentication failure.
void authenticated()
This signal is emitted when authentication is complete.
void setLocalAddress(const QString &addr, quint16 port)
Specify the local address.
QByteArray readOutgoing(int *plainBytes=nullptr) override
This method provides encoded (typically encrypted) data.
void putStep(const QByteArray &stepData)
Process an authentication step.
AuthFlags
Authentication requirement flag values.
Definition: qca_securelayer.h:868
Secure array of bytes.
Definition: qca_tools.h:317
Abstract interface to a security layer.
Definition: qca_securelayer.h:105
virtual void write(const QByteArray &a)=0
This method writes unencrypted (plain) data to the SecureLayer implementation.
virtual int convertBytesWritten(qint64 encryptedBytes)=0
Convert encrypted bytes written to plain text bytes written.
virtual QByteArray readUnprocessed()
This allows you to read data without having it decrypted first.
SecureLayer(QObject *parent=nullptr)
Constructor for an abstract secure communications layer.
virtual void writeIncoming(const QByteArray &a)=0
This method accepts encoded (typically encrypted) data for processing.
virtual int bytesAvailable() const =0
Returns the number of bytes available to be read() on the application side.
virtual QByteArray readOutgoing(int *plainBytes=nullptr)=0
This method provides encoded (typically encrypted) data.
void error()
This signal is emitted when an error is detected.
virtual void close()
Close the link.
void readyReadOutgoing()
This signal is emitted when SecureLayer has encrypted (network side) data ready to be read.
virtual QByteArray read()=0
This method reads decrypted (plain) data from the SecureLayer implementation.
void closed()
This signal is emitted when the SecureLayer connection is closed.
virtual bool isClosable() const
Returns true if the layer has a meaningful "close".
virtual int bytesOutgoingAvailable() const =0
Returns the number of bytes available to be readOutgoing() on the network side.
void readyRead()
This signal is emitted when SecureLayer has decrypted (application side) data ready to be read.
Session token, used for TLS resuming.
Definition: qca_securelayer.h:239
TLSSession & operator=(const TLSSession &from)
Assignment operator.
TLSSession(const TLSSession &from)
Copy constructor.
bool isNull() const
Test if the session token is valid.
Transport Layer Security / Secure Socket Layer.
Definition: qca_securelayer.h:290
void setConstraints(SecurityLevel s)
The security level required for this link.
int packetsOutgoingAvailable() const
Determine the number of packets available to be read on the network side.
void setPacketMTU(int size) const
Set the maximum packet size to use.
TLS(Mode mode, QObject *parent=nullptr, const QString &provider=QString())
Constructor for Transport Layer Security connection.
int cipherMaxBits() const
The number of bits of security that the cipher could use.
void write(const QByteArray &a) override
This method writes unencrypted (plain) data to the SecureLayer implementation.
void startClient(const QString &host=QString())
Start the TLS/SSL connection as a client.
Version version() const
The protocol version that is in use for this connection.
void writeIncoming(const QByteArray &a) override
This method accepts encoded (typically encrypted) data for processing.
Mode
Operating mode.
Definition: qca_securelayer.h:297
@ Stream
stream mode
Definition: qca_securelayer.h:298
void setConstraints(int minSSF, int maxSSF)
This is an overloaded member function, provided for convenience. It differs from the above function o...
void continueAfterStep()
Resumes TLS processing.
QList< CertificateInfoOrdered > issuerList() const
PrivateKey localPrivateKey() const
The PrivateKey for the local host certificate.
void hostNameReceived()
Emitted if a host name is set by the client.
int cipherBits() const
The number of effective bits of security being used for this connection.
int bytesOutgoingAvailable() const override
Returns the number of bytes available to be readOutgoing() on the network side.
~TLS() override
Destructor.
QString hostName() const
Returns the host name specified or an empty string if no host name is specified.
TLSSession session() const
The session object of the TLS connection, which can be used for resuming.
Error
Type of error.
Definition: qca_securelayer.h:317
@ ErrorHandshake
problem during the negotiation
Definition: qca_securelayer.h:322
@ ErrorCertKeyMismatch
certificate and private key don't match
Definition: qca_securelayer.h:320
@ ErrorSignerExpired
local certificate is expired
Definition: qca_securelayer.h:318
@ ErrorSignerInvalid
local certificate is invalid in some way
Definition: qca_securelayer.h:319
@ ErrorInit
problem starting up TLS
Definition: qca_securelayer.h:321
void setTrustedCertificates(const CertificateCollection &trusted)
Set up the set of trusted certificates that will be used to verify that the certificate provided is v...
void reset()
Reset the connection.
bool isClosable() const override
Returns true if the layer has a meaningful "close".
void startServer()
Start the TLS/SSL connection as a server.
void setConstraints(const QStringList &cipherSuiteList)
This is an overloaded member function, provided for convenience. It differs from the above function o...
QStringList supportedCipherSuites(const Version &version=TLS_v1) const
Get the list of cipher suites that are available for use.
CertificateCollection trustedCertificates() const
Return the trusted certificates set for this object.
IdentityResult peerIdentityResult() const
After the SSL/TLS handshake is complete, this method allows you to determine if the other end of the ...
QByteArray readOutgoing(int *plainBytes=nullptr) override
This method provides encoded (typically encrypted) data.
IdentityResult
Type of identity.
Definition: qca_securelayer.h:330
@ HostMismatch
valid cert provided, but wrong owner
Definition: qca_securelayer.h:332
@ InvalidCertificate
invalid cert
Definition: qca_securelayer.h:333
@ Valid
identity is verified
Definition: qca_securelayer.h:331
TLS(QObject *parent=nullptr, const QString &provider=QString())
Constructor for Transport Layer Security connection.
bool canSetHostName() const
Test if the link can specify a hostname (Server Name Indication)
void close() override
Close the link.
QByteArray read() override
This method reads decrypted (plain) data from the SecureLayer implementation.
void connectNotify(const QMetaMethod &signal) override
Called when a connection is made to a particular signal.
bool isHandshaken() const
test if the handshake is complete
int packetsAvailable() const
Determine the number of packets available to be read on the application side.
Validity peerCertificateValidity() const
After the SSL/TLS handshake is valid, this method allows you to check if the received certificate fro...
QByteArray readUnprocessed() override
This allows you to read data without having it decrypted first.
Version
Version of TLS or SSL.
Definition: qca_securelayer.h:306
@ SSL_v2
Secure Socket Layer, version 2.
Definition: qca_securelayer.h:309
@ TLS_v1
Transport Layer Security, version 1.
Definition: qca_securelayer.h:307
@ SSL_v3
Secure Socket Layer, version 3.
Definition: qca_securelayer.h:308
int packetMTU() const
Return the currently configured maximum packet size.
Error errorCode() const
This method returns the type of error that has occurred.
bool compressionEnabled() const
Returns true if compression is enabled.
bool canCompress() const
Test if the link can use compression.
int convertBytesWritten(qint64 encryptedBytes) override
Convert encrypted bytes written to plain text bytes written.
CertificateChain peerCertificateChain() const
The CertificateChain from the peer (other end of the connection to the trusted root certificate).
int bytesAvailable() const override
Returns the number of bytes available to be read() on the application side.
void peerCertificateAvailable()
Emitted when a certificate is received from the peer.
QString cipherSuite() const
The cipher suite that has been negotiated for this connection.
void setCertificate(const CertificateChain &cert, const PrivateKey &key)
The local certificate to use.
bool isCompressed() const
test if the link is compressed
void handshaken()
Emitted when the protocol handshake is complete.
void disconnectNotify(const QMetaMethod &signal) override
Called when a connection is removed from a particular signal.
void setIssuerList(const QList< CertificateInfoOrdered > &issuers)
Sets the issuer list to present to the client.
void setSession(const TLSSession &session)
Resume a TLS session using the given session object.
void certificateRequested()
Emitted when the server requests a certificate.
void setCertificate(const KeyBundle &kb)
This is an overloaded member function, provided for convenience. It differs from the above function o...
CertificateChain localCertificateChain() const
The CertificateChain for the local host certificate.
void setCompressionEnabled(bool b)
Set the link to use compression.
QCA - the Qt Cryptographic Architecture.
Definition: qca_basic.h:41
Validity
The validity (or otherwise) of a certificate.
Definition: qca_cert.h:497
SecurityLevel
Specify the lower-bound for acceptable TLS/SASL security layers.
Definition: qca_securelayer.h:60
@ SL_Baseline
must be 128 bit or more
Definition: qca_securelayer.h:64
@ SL_Integrity
must at least get integrity protection
Definition: qca_securelayer.h:62
@ SL_High
must be more than 128 bit
Definition: qca_securelayer.h:65
@ SL_Export
must be export level bits or more
Definition: qca_securelayer.h:63
@ SL_Highest
SL_High or max possible, whichever is greater.
Definition: qca_securelayer.h:66
@ SL_None
indicates that no security is ok
Definition: qca_securelayer.h:61
Header file for PGP key and X.509 certificate related classes.
Header file for core QCA infrastructure.
Header file for PublicKey and PrivateKey related classes.