Qt官方示例-DTLS服务器
Qt官方示例-DTLS服务器
Qt君
发布于 2023-03-17 05:49:00
发布于 2023-03-17 05:49:00
代码可运行
运行总次数:0
代码可运行
关联问题
换一批
❝该示例演示如何实现简单的DTLS服务器。❞
DTLS 是指 Datagram Transport Level Security,即数据报安全传输协议。DTLS作为UDP版本的TLS。
「注意:DTLS服务器示例旨在与DTLS客户端示例一起运行。」
该服务器由DtlsServer类实现。它使用QUdpSocket,QDtlsClientVerifier和QDtls来测试每个客户端的可达性,完成握手以及读取和写入加密的消息。
class DtlsServer : public QObject
{
Q_OBJECT
public:
DtlsServer();
~DtlsServer();
bool listen(const QHostAddress &address, quint16 port);
bool isListening() const;
void close();
signals:
void errorMessage(const QString &message);
void warningMessage(const QString &message);
void infoMessage(const QString &message);
void datagramReceived(const QString &peerInfo, const QByteArray &cipherText,
const QByteArray &plainText);
private slots:
void readyRead();
void pskRequired(QSslPreSharedKeyAuthenticator *auth);
private:
void handleNewConnection(const QHostAddress &peerAddress, quint16 peerPort,
const QByteArray &clientHello);
void doHandshake(QDtls *newConnection, const QByteArray &clientHello);
void decryptDatagram(QDtls *connection, const QByteArray &clientMessage);
void shutdown();
bool listening = false;
QUdpSocket serverSocket;
QSslConfiguration serverConfiguration;
QDtlsClientVerifier cookieSender;
std::vector<std::unique_ptr<QDtls>> knownClients;
Q_DISABLE_COPY(DtlsServer)
};
构造函数将QUdpSocket::readyRead()信号连接到其readyRead()槽函数中,并设置所需的最少TLS配置:
DtlsServer::DtlsServer()
{
connect(&serverSocket, &QAbstractSocket::readyRead, this, &DtlsServer::readyRead);
serverConfiguration = QSslConfiguration::defaultDtlsConfiguration();
serverConfiguration.setPreSharedKeyIdentityHint("Qt DTLS example server");
serverConfiguration.setPeerVerifyMode(QSslSocket::VerifyNone);
}
「注意:服务器未使用证书,并且依赖于预共享密钥(PSK)握手。」
listen函数绑定QUdpSocket:
bool DtlsServer::listen(const QHostAddress &address, quint16 port)
{
if (address != serverSocket.localAddress() || port != serverSocket.localPort()) {
shutdown();
listening = serverSocket.bind(address, port);
if (!listening)
emit errorMessage(serverSocket.errorString());
} else {
listening = true;
}
return listening;
}
readyRead槽函数处理传入的数据报文:
...
const qint64 bytesToRead = serverSocket.pendingDatagramSize();
if (bytesToRead <= 0) {
emit warningMessage(tr("A spurious read notification"));
return;
}
QByteArray dgram(bytesToRead, Qt::Uninitialized);
QHostAddress peerAddress;
quint16 peerPort = 0;
const qint64 bytesRead = serverSocket.readDatagram(dgram.data(), dgram.size(),
&peerAddress, &peerPort);
if (bytesRead <= 0) {
emit warningMessage(tr("Failed to read a datagram: ") + serverSocket.errorString());
return;
}
dgram.resize(bytesRead);
...
提取地址和端口号之后,服务器首先测试它是否是来自已知对等方的数据报文:
...
if (peerAddress.isNull() || !peerPort) {
emit warningMessage(tr("Failed to extract peer info (address, port)"));
return;
}
const auto client = std::find_if(knownClients.begin(), knownClients.end(),
[&](const std::unique_ptr<QDtls> &connection){
return connection->peerAddress() == peerAddress
&& connection->peerPort() == peerPort;
});
...
如果它是新的未知地址和端口,则数据报将作为潜在的ClientHello消息处理,由DTLS客户端发送:
...
if (client == knownClients.end())
return handleNewConnection(peerAddress, peerPort, dgram);
...
如果它是已知的DTLS客户端,则服务器要么解密数据报文:
...
if ((*client)->isConnectionEncrypted()) {
decryptDatagram(client->get(), dgram);
if ((*client)->dtlsError() == QDtlsError::RemoteClosedConnectionError)
knownClients.erase(client);
return;
}
...
或继续与此对等方握手:
...
doHandshake(client->get(), dgram);
...
handleNewConnection()验证它是可访问的DTLS客户端,或发送HelloVerifyRequest:
void DtlsServer::handleNewConnection(const QHostAddress &peerAddress,
quint16 peerPort, const QByteArray &clientHello)
{
if (!listening)
return;
const QString peerInfo = peer_info(peerAddress, peerPort);
if (cookieSender.verifyClient(&serverSocket, clientHello, peerAddress, peerPort)) {
emit infoMessage(peerInfo + tr(": verified, starting a handshake"));
...
如果新客户端已被验证为可访问的DTLS客户端,则服务器将创建并配置新的QDtls对象,并启动服务器端握手:
...
std::unique_ptr<QDtls> newConnection{new QDtls{QSslSocket::SslServerMode}};
newConnection->setDtlsConfiguration(serverConfiguration);
newConnection->setPeer(peerAddress, peerPort);
newConnection->connect(newConnection.get(), &QDtls::pskRequired,
this, &DtlsServer::pskRequired);
knownClients.push_back(std::move(newConnection));
doHandshake(knownClients.back().get(), clientHello);
...
doHandshake()进入握手阶段:
void DtlsServer::doHandshake(QDtls *newConnection, const QByteArray &clientHello)
{
const bool result = newConnection->doHandshake(&serverSocket, clientHello);
if (!result) {
emit errorMessage(newConnection->dtlsErrorString());
return;
}
const QString peerInfo = peer_info(newConnection->peerAddress(),
newConnection->peerPort());
switch (newConnection->handshakeState()) {
case QDtls::HandshakeInProgress:
emit infoMessage(peerInfo + tr(": handshake is in progress ..."));
break;
case QDtls::HandshakeComplete:
emit infoMessage(tr("Connection with %1 encrypted. %2")
.arg(peerInfo, connection_info(newConnection)));
break;
default:
Q_UNREACHABLE();
}
}
在握手阶段,将发出QDtls::pskRequired()信号,而pskRequired()槽函数将提供预共享密钥:
void DtlsServer::pskRequired(QSslPreSharedKeyAuthenticator *auth)
{
Q_ASSERT(auth);
emit infoMessage(tr("PSK callback, received a client's identity: '%1'")
.arg(QString::fromLatin1(auth->identity())));
auth->setPreSharedKey(QByteArrayLiteral("\x1a\x2b\x3c\x4d\x5e\x6f"));
}
「注意:为了简洁起见,pskRequired()的定义被简化了。QSslPreSharedKeyAuthenticator类的文档详细说明了如何正确实现此槽函数。」
网络对等方完成握手后,将视为已建立加密的DTLS连接,并且服务器通过调用cryptoDatagram()来解密对等方发送的后续数据报。服务器还将加密的响应发送到对等方:
void DtlsServer::decryptDatagram(QDtls *connection, const QByteArray &clientMessage)
{
Q_ASSERT(connection->isConnectionEncrypted());
const QString peerInfo = peer_info(connection->peerAddress(), connection->peerPort());
const QByteArray dgram = connection->decryptDatagram(&serverSocket, clientMessage);
if (dgram.size()) {
emit datagramReceived(peerInfo, clientMessage, dgram);
connection->writeDatagramEncrypted(&serverSocket, tr("to %1: ACK").arg(peerInfo).toLatin1());
} else if (connection->dtlsError() == QDtlsError::NoError) {
emit warningMessage(peerInfo + ": " + tr("0 byte dgram, could be a re-connect attempt?"));
} else {
emit errorMessage(peerInfo + ": " + connection->dtlsErrorString());
}
}
服务器通过调用QDtls::shutdown()关闭其DTLS连接:
void DtlsServer::shutdown()
{
for (const auto &connection : qExchange(knownClients, {}))
connection->shutdown(&serverSocket);
serverSocket.close();
}
在其运行期间,服务器通过发出errorMessage(),warningMessage(),infoMessage()和datagramReceived()信号来报告错误,信息消息和解密的数据报。这些消息由服务器的UI记录:
const QString colorizer(QStringLiteral("<font color=\"%1\">%2</font><br>"));
void MainWindow::addErrorMessage(const QString &message)
{
ui->serverInfo->insertHtml(colorizer.arg(QStringLiteral("Crimson"), message));
}
void MainWindow::addWarningMessage(const QString &message)
{
ui->serverInfo->insertHtml(colorizer.arg(QStringLiteral("DarkOrange"), message));
}
void MainWindow::addInfoMessage(const QString &message)
{
ui->serverInfo->insertHtml(colorizer.arg(QStringLiteral("DarkBlue"), message));
}
void MainWindow::addClientMessage(const QString &peerInfo, const QByteArray &datagram,
const QByteArray &plainText)
{
static const QString messageColor = QStringLiteral("DarkMagenta");
static const QString formatter = QStringLiteral("<br>---------------"
"<br>A message from %1"
"<br>DTLS datagram:<br> %2"
"<br>As plain text:<br> %3");
const QString html = formatter.arg(peerInfo, QString::fromUtf8(datagram.toHex(' ')),
QString::fromUtf8(plainText));
ui->messages->insertHtml(colorizer.arg(messageColor, html));
}
关于更多
- 在「QtCreator软件」可以找到:
- 或在以下「Qt安装目录」找到:
C:\Qt\{你的Qt版本}\Examples\{你的Qt版本}\network\secureudpserver- 「相关链接」
https://doc.qt.io/qt-5/qtnetwork-secureudpserver-example.html本文参与 腾讯云自媒体同步曝光计划,分享自微信公众号。
原始发表:2020-09-20,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
暂无评论
推荐阅读
相关推荐
Mysql必知必会!
更多 >
腾讯云开发者
