| 1 | // Copyright (C) 2021 The Qt Company Ltd. |
|---|
| 2 | // SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only |
|---|
| 3 | |
|---|
| 4 | |
|---|
| 5 | #include "qsslkey.h" |
|---|
| 6 | #include "qssl_p.h" |
|---|
| 7 | |
|---|
| 8 | QT_BEGIN_NAMESPACE |
|---|
| 9 | |
|---|
| 10 | Q_LOGGING_CATEGORY(lcSsl, "qt.network.ssl" ); |
|---|
| 11 | |
|---|
| 12 | /*! \namespace QSsl |
|---|
| 13 | |
|---|
| 14 | \brief The QSsl namespace declares enums common to all SSL classes in Qt Network. |
|---|
| 15 | \since 4.3 |
|---|
| 16 | |
|---|
| 17 | \ingroup network |
|---|
| 18 | \ingroup ssl |
|---|
| 19 | \inmodule QtNetwork |
|---|
| 20 | */ |
|---|
| 21 | |
|---|
| 22 | /*! |
|---|
| 23 | \enum QSsl::KeyType |
|---|
| 24 | |
|---|
| 25 | Describes the two types of keys QSslKey supports. |
|---|
| 26 | |
|---|
| 27 | \value PrivateKey A private key. |
|---|
| 28 | \value PublicKey A public key. |
|---|
| 29 | */ |
|---|
| 30 | |
|---|
| 31 | /*! |
|---|
| 32 | \enum QSsl::KeyAlgorithm |
|---|
| 33 | |
|---|
| 34 | Describes the different key algorithms supported by QSslKey. |
|---|
| 35 | |
|---|
| 36 | \value Rsa The RSA algorithm. |
|---|
| 37 | \value Dsa The DSA algorithm. |
|---|
| 38 | \value Ec The Elliptic Curve algorithm. |
|---|
| 39 | \value Dh The Diffie-Hellman algorithm. |
|---|
| 40 | \value Opaque A key that should be treated as a 'black box' by QSslKey. |
|---|
| 41 | |
|---|
| 42 | The opaque key facility allows applications to add support for facilities |
|---|
| 43 | such as PKCS#11 that Qt does not currently offer natively. |
|---|
| 44 | */ |
|---|
| 45 | |
|---|
| 46 | /*! |
|---|
| 47 | \enum QSsl::EncodingFormat |
|---|
| 48 | |
|---|
| 49 | Describes supported encoding formats for certificates and keys. |
|---|
| 50 | |
|---|
| 51 | \value Pem The PEM format. |
|---|
| 52 | \value Der The DER format. |
|---|
| 53 | */ |
|---|
| 54 | |
|---|
| 55 | /*! |
|---|
| 56 | \enum QSsl::AlternativeNameEntryType |
|---|
| 57 | |
|---|
| 58 | Describes the key types for alternative name entries in QSslCertificate. |
|---|
| 59 | |
|---|
| 60 | \value EmailEntry An email entry; the entry contains an email address that |
|---|
| 61 | the certificate is valid for. |
|---|
| 62 | |
|---|
| 63 | \value DnsEntry A DNS host name entry; the entry contains a host name |
|---|
| 64 | entry that the certificate is valid for. The entry may contain wildcards. |
|---|
| 65 | |
|---|
| 66 | \value IpAddressEntry An IP address entry; the entry contains an IP address |
|---|
| 67 | entry that the certificate is valid for, introduced in Qt 5.13. |
|---|
| 68 | |
|---|
| 69 | \sa QSslCertificate::subjectAlternativeNames() |
|---|
| 70 | */ |
|---|
| 71 | |
|---|
| 72 | /*! |
|---|
| 73 | \enum QSsl::SslProtocol |
|---|
| 74 | |
|---|
| 75 | Describes the protocol of the cipher. |
|---|
| 76 | |
|---|
| 77 | \value TlsV1_0 TLSv1.0 |
|---|
| 78 | \value TlsV1_0OrLater TLSv1.0 and later versions. |
|---|
| 79 | \value TlsV1_1 TLSv1.1. |
|---|
| 80 | \value TlsV1_1OrLater TLSv1.1 and later versions. |
|---|
| 81 | \value TlsV1_2 TLSv1.2. |
|---|
| 82 | \value TlsV1_2OrLater TLSv1.2 and later versions. |
|---|
| 83 | \value DtlsV1_0 DTLSv1.0 |
|---|
| 84 | \value DtlsV1_0OrLater DTLSv1.0 and later versions. |
|---|
| 85 | \value DtlsV1_2 DTLSv1.2 |
|---|
| 86 | \value DtlsV1_2OrLater DTLSv1.2 and later versions. |
|---|
| 87 | \value TlsV1_3 TLSv1.3. (Since Qt 5.12) |
|---|
| 88 | \value TlsV1_3OrLater TLSv1.3 and later versions. (Since Qt 5.12) |
|---|
| 89 | \value UnknownProtocol The cipher's protocol cannot be determined. |
|---|
| 90 | \value AnyProtocol Any supported protocol. This value is used by QSslSocket only. |
|---|
| 91 | \value SecureProtocols The default option, using protocols known to be secure. |
|---|
| 92 | */ |
|---|
| 93 | |
|---|
| 94 | /*! |
|---|
| 95 | \enum QSsl::SslOption |
|---|
| 96 | |
|---|
| 97 | Describes the options that can be used to control the details of |
|---|
| 98 | SSL behaviour. These options are generally used to turn features off |
|---|
| 99 | to work around buggy servers. |
|---|
| 100 | |
|---|
| 101 | \value SslOptionDisableEmptyFragments Disables the insertion of empty |
|---|
| 102 | fragments into the data when using block ciphers. When enabled, this |
|---|
| 103 | prevents some attacks (such as the BEAST attack), however it is |
|---|
| 104 | incompatible with some servers. |
|---|
| 105 | \value SslOptionDisableSessionTickets Disables the SSL session ticket |
|---|
| 106 | extension. This can cause slower connection setup, however some servers |
|---|
| 107 | are not compatible with the extension. |
|---|
| 108 | \value SslOptionDisableCompression Disables the SSL compression |
|---|
| 109 | extension. When enabled, this allows the data being passed over SSL to |
|---|
| 110 | be compressed, however some servers are not compatible with this |
|---|
| 111 | extension. |
|---|
| 112 | \value SslOptionDisableServerNameIndication Disables the SSL server |
|---|
| 113 | name indication extension. When enabled, this tells the server the virtual |
|---|
| 114 | host being accessed allowing it to respond with the correct certificate. |
|---|
| 115 | \value SslOptionDisableLegacyRenegotiation Disables the older insecure |
|---|
| 116 | mechanism for renegotiating the connection parameters. When enabled, this |
|---|
| 117 | option can allow connections for legacy servers, but it introduces the |
|---|
| 118 | possibility that an attacker could inject plaintext into the SSL session. |
|---|
| 119 | \value SslOptionDisableSessionSharing Disables SSL session sharing via |
|---|
| 120 | the session ID handshake attribute. |
|---|
| 121 | \value SslOptionDisableSessionPersistence Disables storing the SSL session |
|---|
| 122 | in ASN.1 format as returned by QSslConfiguration::sessionTicket(). Enabling |
|---|
| 123 | this feature adds memory overhead of approximately 1K per used session |
|---|
| 124 | ticket. |
|---|
| 125 | \value SslOptionDisableServerCipherPreference Disables selecting the cipher |
|---|
| 126 | chosen based on the servers preferences rather than the order ciphers were |
|---|
| 127 | sent by the client. This option is only relevant to server sockets, and is |
|---|
| 128 | only honored by the OpenSSL backend. |
|---|
| 129 | |
|---|
| 130 | By default, SslOptionDisableEmptyFragments is turned on since this causes |
|---|
| 131 | problems with a large number of servers. SslOptionDisableLegacyRenegotiation |
|---|
| 132 | is also turned on, since it introduces a security risk. |
|---|
| 133 | SslOptionDisableCompression is turned on to prevent the attack publicised by |
|---|
| 134 | CRIME. |
|---|
| 135 | SslOptionDisableSessionPersistence is turned on to optimize memory usage. |
|---|
| 136 | The other options are turned off. |
|---|
| 137 | |
|---|
| 138 | \note Availability of above options depends on the version of the SSL |
|---|
| 139 | backend in use. |
|---|
| 140 | */ |
|---|
| 141 | |
|---|
| 142 | /*! |
|---|
| 143 | \enum QSsl::AlertLevel |
|---|
| 144 | \brief Describes the level of an alert message |
|---|
| 145 | \relates QSslSocket |
|---|
| 146 | \since 6.0 |
|---|
| 147 | |
|---|
| 148 | \ingroup network |
|---|
| 149 | \ingroup ssl |
|---|
| 150 | \inmodule QtNetwork |
|---|
| 151 | |
|---|
| 152 | This enum describes the level of an alert message that was sent |
|---|
| 153 | or received. |
|---|
| 154 | |
|---|
| 155 | \value Warning Non-fatal alert message |
|---|
| 156 | \value Fatal Fatal alert message, the underlying backend will |
|---|
| 157 | handle such an alert properly and close the connection. |
|---|
| 158 | \value Unknown An alert of unknown level of severity. |
|---|
| 159 | */ |
|---|
| 160 | |
|---|
| 161 | /*! |
|---|
| 162 | \enum QSsl::AlertType |
|---|
| 163 | \brief Enumerates possible codes that an alert message can have |
|---|
| 164 | \relates QSslSocket |
|---|
| 165 | \since 6.0 |
|---|
| 166 | |
|---|
| 167 | \ingroup network |
|---|
| 168 | \ingroup ssl |
|---|
| 169 | \inmodule QtNetwork |
|---|
| 170 | |
|---|
| 171 | See \l{RFC 8446, section 6} |
|---|
| 172 | for the possible values and their meaning. |
|---|
| 173 | |
|---|
| 174 | \value CloseNotify, |
|---|
| 175 | \value UnexpectedMessage |
|---|
| 176 | \value BadRecordMac |
|---|
| 177 | \value RecordOverflow |
|---|
| 178 | \value DecompressionFailure |
|---|
| 179 | \value HandshakeFailure |
|---|
| 180 | \value NoCertificate |
|---|
| 181 | \value BadCertificate |
|---|
| 182 | \value UnsupportedCertificate |
|---|
| 183 | \value CertificateRevoked |
|---|
| 184 | \value CertificateExpired |
|---|
| 185 | \value CertificateUnknown |
|---|
| 186 | \value IllegalParameter |
|---|
| 187 | \value UnknownCa |
|---|
| 188 | \value AccessDenied |
|---|
| 189 | \value DecodeError |
|---|
| 190 | \value DecryptError |
|---|
| 191 | \value ExportRestriction |
|---|
| 192 | \value ProtocolVersion |
|---|
| 193 | \value InsufficientSecurity |
|---|
| 194 | \value InternalError |
|---|
| 195 | \value InappropriateFallback |
|---|
| 196 | \value UserCancelled |
|---|
| 197 | \value NoRenegotiation |
|---|
| 198 | \value MissingExtension |
|---|
| 199 | \value UnsupportedExtension |
|---|
| 200 | \value CertificateUnobtainable |
|---|
| 201 | \value UnrecognizedName |
|---|
| 202 | \value BadCertificateStatusResponse |
|---|
| 203 | \value BadCertificateHashValue |
|---|
| 204 | \value UnknownPskIdentity |
|---|
| 205 | \value CertificateRequired |
|---|
| 206 | \value NoApplicationProtocol |
|---|
| 207 | \value UnknownAlertMessage |
|---|
| 208 | */ |
|---|
| 209 | |
|---|
| 210 | /*! |
|---|
| 211 | \enum QSsl::ImplementedClass |
|---|
| 212 | \brief Enumerates classes that a TLS backend implements |
|---|
| 213 | \relates QSslSocket |
|---|
| 214 | \since 6.1 |
|---|
| 215 | |
|---|
| 216 | \ingroup network |
|---|
| 217 | \ingroup ssl |
|---|
| 218 | \inmodule QtNetwork |
|---|
| 219 | |
|---|
| 220 | In QtNetwork, some classes have backend-specific implementation and thus |
|---|
| 221 | can be left unimplemented. Enumerators in this enum indicate, which class |
|---|
| 222 | has a working implementation in the backend. |
|---|
| 223 | |
|---|
| 224 | \value Key Class QSslKey. |
|---|
| 225 | \value Certificate Class QSslCertificate. |
|---|
| 226 | \value Socket Class QSslSocket. |
|---|
| 227 | \value DiffieHellman Class QSslDiffieHellmanParameters. |
|---|
| 228 | \value EllipticCurve Class QSslEllipticCurve. |
|---|
| 229 | \value Dtls Class QDtls. |
|---|
| 230 | \value DtlsCookie Class QDtlsClientVerifier. |
|---|
| 231 | */ |
|---|
| 232 | |
|---|
| 233 | /*! |
|---|
| 234 | \enum QSsl::SupportedFeature |
|---|
| 235 | \brief Enumerates possible features that a TLS backend supports |
|---|
| 236 | \relates QSslSocket |
|---|
| 237 | \since 6.1 |
|---|
| 238 | |
|---|
| 239 | \ingroup network |
|---|
| 240 | \ingroup ssl |
|---|
| 241 | \inmodule QtNetwork |
|---|
| 242 | |
|---|
| 243 | In QtNetwork TLS-related classes have public API, that may be left unimplemented |
|---|
| 244 | by some backend, for example, our SecureTransport backend does not support |
|---|
| 245 | server-side ALPN. Enumerators from SupportedFeature enum indicate that a particular |
|---|
| 246 | feature is supported. |
|---|
| 247 | |
|---|
| 248 | \value CertificateVerification Indicates that QSslCertificate::verify() is |
|---|
| 249 | implemented by the backend. |
|---|
| 250 | \value ClientSideAlpn Client-side ALPN (Application Layer Protocol Negotiation). |
|---|
| 251 | \value ServerSideAlpn Server-side ALPN. |
|---|
| 252 | \value Ocsp OCSP stapling (Online Certificate Status Protocol). |
|---|
| 253 | \value Psk Pre-shared keys. |
|---|
| 254 | \value SessionTicket Session tickets. |
|---|
| 255 | \value Alerts Information about alert messages sent and received. |
|---|
| 256 | */ |
|---|
| 257 | |
|---|
| 258 | QT_END_NAMESPACE |
|---|
| 259 | |
|---|
