DTLS服务器
此示例演示如何实现一个简单的DTLS服务器。
注意:DTLS服务器示例旨在与DTLS客户端示例一起运行。
服务器通过DtlsServer类实现。它使用QUdpSocket、QDtlsClientVerifier 和 QDtls 来测试每个客户端的可达性,完成握手,并读取和写入加密消息。
class DtlsServer : public QObject { Q_OBJECT public: DtlsServer(); ~DtlsServer(); bool listen(const QHostAddress &address, quint16 port); bool isListening() const; void close(); signals: void errorMessage(const QString &message); void warningMessage(const QString &message); void infoMessage(const QString &message); void datagramReceived(const QString &peerInfo, const QByteArray &cipherText, const QByteArray &plainText); private slots: void readyRead(); void pskRequired(QSslPreSharedKeyAuthenticator *auth); private: void handleNewConnection(const QHostAddress &peerAddress, quint16 peerPort, const QByteArray &clientHello); void doHandshake(QDtls *newConnection, const QByteArray &clientHello); void decryptDatagram(QDtls *connection, const QByteArray &clientMessage); void shutdown(); bool listening = false; QUdpSocket serverSocket; QSslConfiguration serverConfiguration; QDtlsClientVerifier cookieSender; std::vector<std::unique_ptr<QDtls>> knownClients; Q_DISABLE_COPY(DtlsServer) };
构造函数将QUdpSocket::readyRead()信号连接到其readyRead()槽,并设置所需的TLS配置的最小值
DtlsServer::DtlsServer() { connect(&serverSocket, &QAbstractSocket::readyRead, this, &DtlsServer::readyRead); serverConfiguration = QSslConfiguration::defaultDtlsConfiguration(); serverConfiguration.setPreSharedKeyIdentityHint("Qt DTLS example server"); serverConfiguration.setPeerVerifyMode(QSslSocket::VerifyNone); }
注意:服务器不使用证书,而是依赖于预共享密钥(PSK)握手。
listen()绑定QUdpSocket
bool DtlsServer::listen(const QHostAddress &address, quint16 port) { if (address != serverSocket.localAddress() || port != serverSocket.localPort()) { shutdown(); listening = serverSocket.bind(address, port); if (!listening) emit errorMessage(serverSocket.errorString()); } else { listening = true; } return listening; }
readyRead()槽处理传入的数据报
... const qint64 bytesToRead = serverSocket.pendingDatagramSize(); if (bytesToRead <= 0) { emit warningMessage(tr("A spurious read notification")); return; } QByteArray dgram(bytesToRead, Qt::Uninitialized); QHostAddress peerAddress; quint16 peerPort = 0; const qint64 bytesRead = serverSocket.readDatagram(dgram.data(), dgram.size(), &peerAddress, &peerPort); if (bytesRead <= 0) { emit warningMessage(tr("Failed to read a datagram: ") + serverSocket.errorString()); return; } dgram.resize(bytesRead); ...
提取地址和端口号后,服务器首先测试它是否来自已知的对等体
... if (peerAddress.isNull() || !peerPort) { emit warningMessage(tr("Failed to extract peer info (address, port)")); return; } const auto client = std::find_if(knownClients.begin(), knownClients.end(), [&](const std::unique_ptr<QDtls> &connection){ return connection->peerAddress() == peerAddress && connection->peerPort() == peerPort; }); ...
如果它是新的、未知的地址和端口,则将数据报处理为潜在的ClientHello消息,由DTLS客户端发送
... if (client == knownClients.end()) return handleNewConnection(peerAddress, peerPort, dgram); ...
如果它是已知的DTLS客户端,则服务器可以解密数据报
... if ((*client)->isConnectionEncrypted()) { decryptDatagram(client->get(), dgram); if ((*client)->dtlsError() == QDtlsError::RemoteClosedConnectionError) knownClients.erase(client); return; } ...
或与该对等体继续握手
... doHandshake(client->get(), dgram); ...
handleNewConnection()验证它是否可达的DTLS客户端,或发送HelloVerifyRequest
void DtlsServer::handleNewConnection(const QHostAddress &peerAddress, quint16 peerPort, const QByteArray &clientHello) { if (!listening) return; const QString peerInfo = peer_info(peerAddress, peerPort); if (cookieSender.verifyClient(&serverSocket, clientHello, peerAddress, peerPort)) { emit infoMessage(peerInfo + tr(": verified, starting a handshake")); ...
如果新客户端被验证为可达的DTLS客户端,服务器将创建和配置一个新的QDtls对象,并开始服务器端的握手
...
std::unique_ptr<QDtls> newConnection{new QDtls{QSslSocket::SslServerMode}};
newConnection->setDtlsConfiguration(serverConfiguration);
newConnection->setPeer(peerAddress, peerPort);
newConnection->connect(newConnection.get(), &QDtls::pskRequired,
this, &DtlsServer::pskRequired);
knownClients.push_back(std::move(newConnection));
doHandshake(knownClients.back().get(), clientHello);
...doHandshake()通过握手阶段
void DtlsServer::doHandshake(QDtls *newConnection, const QByteArray &clientHello) { const bool result = newConnection->doHandshake(&serverSocket, clientHello); if (!result) { emit errorMessage(newConnection->dtlsErrorString()); return; } const QString peerInfo = peer_info(newConnection->peerAddress(), newConnection->peerPort()); switch (newConnection->handshakeState()) { case QDtls::HandshakeInProgress: emit infoMessage(peerInfo + tr(": handshake is in progress ...")); break; case QDtls::HandshakeComplete: emit infoMessage(tr("Connection with %1 encrypted. %2") .arg(peerInfo, connection_info(newConnection))); break; default: Q_UNREACHABLE(); } }
在握手阶段,会发出QDtls::pskRequired()信号,pskRequired()槽提供预共享密钥
void DtlsServer::pskRequired(QSslPreSharedKeyAuthenticator *auth) { Q_ASSERT(auth); emit infoMessage(tr("PSK callback, received a client's identity: '%1'") .arg(QString::fromLatin1(auth->identity()))); auth->setPreSharedKey(QByteArrayLiteral("\x1a\x2b\x3c\x4d\x5e\x6f")); }
注意:为了简洁起见,pskRequired()的定义过于简化。关于QSslPreSharedKeyAuthenticator类的文档中详细解释了如何正确实现此槽。
对于网络对等体完成握手后,加密的DTLS连接被认为是建立的,服务器通过调用decryptDatagram()解密对等体发送的后续数据报。服务器还向对等体发送加密响应
void DtlsServer::decryptDatagram(QDtls *connection, const QByteArray &clientMessage) { Q_ASSERT(connection->isConnectionEncrypted()); const QString peerInfo = peer_info(connection->peerAddress(), connection->peerPort()); const QByteArray dgram = connection->decryptDatagram(&serverSocket, clientMessage); if (dgram.size()) { emit datagramReceived(peerInfo, clientMessage, dgram); connection->writeDatagramEncrypted(&serverSocket, tr("to %1: ACK").arg(peerInfo).toLatin1()); } else if (connection->dtlsError() == QDtlsError::NoError) { emit warningMessage(peerInfo + ": " + tr("0 byte dgram, could be a re-connect attempt?")); } else { emit errorMessage(peerInfo + ": " + connection->dtlsErrorString()); } }
服务器通过调用QDtls::shutdown()关闭其DTLS连接
void DtlsServer::shutdown() { for (const auto &connection : std::exchange(knownClients, {})) connection->shutdown(&serverSocket); serverSocket.close(); }
在其操作过程中,服务器通过发出errorMessage()、warningMessage()、infoMessage()和datagramReceived()信号报告错误、信息消息和解密数据报。这些消息由服务器的UI记录
const QString colorizer(QStringLiteral("<font color=\"%1\">%2</font><br>")); void MainWindow::addErrorMessage(const QString &message) { ui->serverInfo->insertHtml(colorizer.arg(QStringLiteral("Crimson"), message)); } void MainWindow::addWarningMessage(const QString &message) { ui->serverInfo->insertHtml(colorizer.arg(QStringLiteral("DarkOrange"), message)); } void MainWindow::addInfoMessage(const QString &message) { ui->serverInfo->insertHtml(colorizer.arg(QStringLiteral("DarkBlue"), message)); } void MainWindow::addClientMessage(const QString &peerInfo, const QByteArray &datagram, const QByteArray &plainText) { static const QString messageColor = QStringLiteral("DarkMagenta"); static const QString formatter = QStringLiteral("<br>---------------" "<br>A message from %1" "<br>DTLS datagram:<br> %2" "<br>As plain text:<br> %3"); const QString html = formatter.arg(peerInfo, QString::fromUtf8(datagram.toHex(' ')), QString::fromUtf8(plainText)); ui->messages->insertHtml(colorizer.arg(messageColor, html)); }
© 2024 Qt公司有限公司。此处包含的文档贡献是各自所有者的版权。所提供的文档根据GNU自由文档许可协议版本1.3的条款发布,由自由软件基金会出版。Qt及其标志是Qt公司有限公司在芬兰和/或其他国家的商标。所有其他商标均为各自所有者的财产。
