2
* qca_securelayer.h - Qt Cryptographic Architecture
3
* Copyright (C) 2003-2007 Justin Karneges <justin@affinix.com>
4
* Copyright (C) 2004-2006 Brad Hards <bradh@frogmouth.net>
6
* This library is free software; you can redistribute it and/or
7
* modify it under the terms of the GNU Lesser General Public
8
* License as published by the Free Software Foundation; either
9
* version 2.1 of the License, or (at your option) any later version.
11
* This library is distributed in the hope that it will be useful,
12
* but WITHOUT ANY WARRANTY; without even the implied warranty of
13
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14
* Lesser General Public License for more details.
16
* You should have received a copy of the GNU Lesser General Public
17
* License along with this library; if not, write to the Free Software
18
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
23
\file qca_securelayer.h
25
Header file for SecureLayer and its subclasses
27
\note You should not use this header directly from an
28
application. You should just use <tt> \#include \<QtCrypto>
31
#ifndef QCA_SECURELAYER_H
32
#define QCA_SECURELAYER_H
36
#include "qca_publickey.h"
42
Specify the lower-bound for acceptable TLS/SASL security layers
44
For TLS, the interpretation of these levels is:
45
- Any cipher suite that provides non-authenticated communications
46
(usually anonymous Diffie-Hellman) is SL_Integrity.
47
- Any cipher suite that is limited to 40 bits (export-version
48
crippled forms of RC2, RC4 or DES) is SL_Export. Standard
49
DES (56 bits) and some forms of RC4 (64 bits) are also SL_Export.
50
- Any normal cipher (AES, Camellia, RC4 or similar) with 128 bits, or
51
Elliptic Curve Ciphers with 283 bits, is SL_Baseline
52
- AES or Camellia at least 192 bits, triple-DES and similar
53
ciphers are SL_High. ECC with 409 or more bits is also SL_High.
54
- Highest does not have an equivalent strength. It
55
indicates that the provider should use the strongest
56
ciphers available (but not less than SL_High).
60
SL_None, ///< indicates that no security is ok
61
SL_Integrity, ///< must at least get integrity protection
62
SL_Export, ///< must be export level bits or more
63
SL_Baseline, ///< must be 128 bit or more
64
SL_High, ///< must be more than 128 bit
65
SL_Highest ///< SL_High or max possible, whichever is greater
69
\class SecureLayer qca_securelayer.h QtCrypto
71
Abstract interface to a security layer
73
SecureLayer is normally used between an application and a
74
potentially insecure network. It provides secure
75
communications over that network.
77
The concept is that (after some initial setup), the
78
application can write() some data to the SecureLayer
79
implementation, and that data is encrypted (or otherwise
80
protected, depending on the setup). The SecureLayer
81
implementation then emits the readyReadOutgoing() signal,
82
and the application uses readOutgoing() to retrieve the the
83
encrypted data from the SecureLayer implementation. The
84
encrypted data is then sent out on the network.
86
When some encrypted data comes back from the network, the
87
application does a writeIncoming() to the SecureLayer
88
implementation. Some time later, the SecureLayer
89
implementation may emit readyRead() to the application,
90
which then read()s the decrypted data from the SecureLayer
93
Note that sometimes data is sent or received between the
94
SecureLayer implementation and the network without any data
95
being sent between the application and the SecureLayer
96
implementation. This is a result of the initial negotiation
97
activities (which require network traffic to agree a
98
configuration to use) and other overheads associated with
103
class QCA_EXPORT SecureLayer : public QObject
108
Constructor for an abstract secure communications
111
\param parent the parent object for this object
113
SecureLayer(QObject *parent = 0);
116
Returns true if the layer has a meaningful "close".
118
virtual bool isClosable() const;
121
Returns the number of bytes available to be read()
122
on the application side.
124
virtual int bytesAvailable() const = 0;
127
Returns the number of bytes available to be
128
readOutgoing() on the network side.
130
virtual int bytesOutgoingAvailable() const = 0;
133
Close the link. Note that this may not be
134
meaningful / possible for all implementations.
136
\sa isClosable() for a test that verifies if the
139
virtual void close();
142
This method writes unencrypted (plain) data to
143
the SecureLayer implementation. You normally
144
call this function on the application side.
146
\param a the source of the application-side data
148
virtual void write(const QByteArray &a) = 0;
151
This method reads decrypted (plain) data from
152
the SecureLayer implementation. You normally call
153
this function on the application side after receiving
154
the readyRead() signal.
156
virtual QByteArray read() = 0;
159
This method accepts encoded (typically encrypted) data
160
for processing. You normally call this function using
161
data read from the network socket (e.g. using
162
QTcpSocket::readAll()) after receiving a signal that
163
indicates that the socket has data to read.
165
\param a the ByteArray to take network-side data from
167
virtual void writeIncoming(const QByteArray &a) = 0;
170
This method provides encoded (typically encrypted)
171
data. You normally call this function to get data
172
to write out to the network socket (e.g. using
173
QTcpSocket::write()) after receiving the
174
readyReadOutgoing() signal.
176
\param plainBytes the number of bytes that were read.
178
virtual QByteArray readOutgoing(int *plainBytes = 0) = 0;
181
This allows you to read data without having it
182
decrypted first. This is intended to be used for
183
protocols that close off the connection and return
184
to plain text transfer. You do not normally need to
187
virtual QByteArray readUnprocessed();
190
Convert encrypted bytes written to plain text bytes written
192
\param encryptedBytes the number of bytes to convert
194
virtual int convertBytesWritten(qint64 encryptedBytes) = 0;
198
This signal is emitted when SecureLayer has
199
decrypted (application side) data ready to be
200
read. Typically you will connect this signal to a
201
slot that reads the data (using read()).
206
This signal is emitted when SecureLayer has encrypted
207
(network side) data ready to be read. Typically you
208
will connect this signal to a slot that reads the data
209
(using readOutgoing()) and writes it to a network socket.
211
void readyReadOutgoing();
214
This signal is emitted when the SecureLayer connection
220
This signal is emitted when an error is detected. You
221
can determine the error type using errorCode().
226
Q_DISABLE_COPY(SecureLayer)
230
\class TLSSession qca_securelayer.h QtCrypto
232
Session token, used for TLS resuming
237
class QCA_EXPORT TLSSession : public Algorithm
245
\param from the session token to copy from
247
TLSSession(const TLSSession &from);
254
\param from the session token to assign from
256
TLSSession & operator=(const TLSSession &from);
259
Test if the session token is valid
265
\class TLS qca_securelayer.h QtCrypto
267
Transport Layer Security / Secure Socket Layer
269
Transport Layer Security (%TLS) is the current
270
state-of-the-art in secure transport mechanisms over the
271
internet. It can be used in a way where only one side of
272
the link needs to authenticate to the other. This makes it
273
very useful for servers to provide their identity to
274
clients. Note that is is possible to use %TLS to
275
authenticate both client and server.
277
%TLS is a IETF standard (<a
278
href="http://www.ietf.org/rfc/rfc2712.txt">RFC2712</a> for
279
TLS version 1.0) based on earlier Netscape work on Secure
280
Socket Layer (SSL version 2 and SSL version 3). New
281
applications should use at least TLS 1.0, and SSL version 2
282
should be avoided due to known security problems.
286
class QCA_EXPORT TLS : public SecureLayer, public Algorithm
295
Stream, ///< stream mode
296
Datagram ///< datagram mode
300
Version of %TLS or SSL
304
TLS_v1, ///< Transport Layer Security, version 1
305
SSL_v3, ///< Secure Socket Layer, version 3
306
SSL_v2, ///< Secure Socket Layer, version 2
307
DTLS_v1 ///< Datagram Transport Layer Security, version 1
315
ErrorSignerExpired, ///< local certificate is expired
316
ErrorSignerInvalid, ///< local certificate is invalid in some way
317
ErrorCertKeyMismatch, ///< certificate and private key don't match
318
ErrorInit, ///< problem starting up %TLS
319
ErrorHandshake, ///< problem during the negotiation
320
ErrorCrypt ///< problem at anytime after
328
Valid, ///< identity is verified
329
HostMismatch, ///< valid cert provided, but wrong owner
330
InvalidCertificate, ///< invalid cert
331
NoCertificate ///< identity unknown
335
Constructor for Transport Layer Security connection
337
This produces a Stream (normal %TLS) rather than Datagram (DTLS)
339
If you want to do DTLS, see below.
341
\param parent the parent object for this object
342
\param provider the name of the provider, if a specific provider
345
explicit TLS(QObject *parent = 0, const QString &provider = QString());
348
Constructor for Transport Layer Security connection.
350
This constructor can be used for both normal %TLS (set mode to TLS::Stream)
351
or DTLS (set mode to TLS::Datagram).
353
\param mode the connection Mode
354
\param parent the parent object for this object
355
\param provider the name of the provider, if a specific provider is
358
explicit TLS(Mode mode, QObject *parent = 0, const QString &provider = QString());
371
Get the list of cipher suites that are available for use.
373
A cipher suite is a combination of key exchange,
374
encryption and hashing algorithms that are agreed
375
during the initial handshake between client and
378
\param version the protocol Version that the cipher
379
suites are required for
381
\return list of the the names of the cipher suites
384
QStringList supportedCipherSuites(const Version &version = TLS_v1) const;
387
The local certificate to use. This is the
388
certificate that will be provided to the peer. This
389
is almost always required on the server side
390
(because the server has to provide a certificate to
391
the client), and may be used on the client side.
393
\param cert a chain of certificates that
394
link the host certificate to a trusted root
396
\param key the private key for the certificate
399
void setCertificate(const CertificateChain &cert, const PrivateKey &key);
404
Allows setting a certificate from a KeyBundle.
406
\param kb key bundle containing the local certificate
407
and associated private key.
409
void setCertificate(const KeyBundle &kb);
412
Return the trusted certificates set for this object
414
CertificateCollection trustedCertificates() const;
417
Set up the set of trusted certificates that will be used to verify
418
that the certificate provided is valid.
420
Typically, this will be the collection of root certificates from
421
the system, which you can get using QCA::systemStore(), however you
422
may choose to pass whatever certificates match your assurance
425
\param trusted a bundle of trusted certificates.
427
void setTrustedCertificates(const CertificateCollection &trusted);
430
The security level required for this link
432
\param s the level required for this link.
434
void setConstraints(SecurityLevel s);
439
\param minSSF the minimum Security Strength Factor
440
required for this link.
441
\param maxSSF the maximum Security Strength Factor
442
required for this link.
444
void setConstraints(int minSSF, int maxSSF);
449
\param cipherSuiteList a list of the names of
450
cipher suites that can be used for this link.
452
\note the names are the same as the names in the
453
applicable IETF RFCs (or Internet Drafts if there
454
is no applicable RFC).
456
void setConstraints(const QStringList &cipherSuiteList);
459
Retrieve the list of allowed issuers by the server,
460
if the server has provided them. Only DN types will
464
Certificate someCert = ...
465
PrivateKey someKey = ...
467
// see if the server will take our cert
468
CertificateInfoOrdered issuerInfo = someCert.issuerInfoOrdered().dnOnly();
469
foreach(const CertificateInfoOrdered &info, tls->issuerList())
471
if(info == issuerInfo)
473
// server will accept someCert, let's present it
474
tls->setCertificate(someCert, someKey);
480
QList<CertificateInfoOrdered> issuerList() const;
483
Sets the issuer list to present to the client. For
484
use with servers only. Only DN types are allowed.
486
\param issuers the list of valid issuers to be used.
488
void setIssuerList(const QList<CertificateInfoOrdered> &issuers);
491
Resume a %TLS session using the given session object
493
\param session the session state to use for resumption.
495
void setSession(const TLSSession &session);
498
Test if the link can use compression
500
\return true if the link can use compression
502
bool canCompress() const;
505
Test if the link can specify a hostname (Server Name
508
\return true if the link can specify a hostname
510
bool canSetHostName() const;
513
Returns true if compression is enabled
515
This only indicates whether or not the object is configured to use
516
compression, not whether or not the link is actually compressed.
517
Use isCompressed() for that.
519
bool compressionEnabled() const;
522
Set the link to use compression
524
\param b true if the link should use compression, or false to
527
void setCompressionEnabled(bool b);
530
Returns the host name specified or an empty string if no host
533
QString hostName() const;
536
Start the %TLS/SSL connection as a client
538
Typically, you'll want to perform RFC 2818 validation on the
539
server's certificate, based on the hostname you're intending
540
to connect to. Pass a value for \a host in order to have the
541
validation for you. If you want to bypass this behavior and
542
do the validation yourself, pass an empty string for \a host.
544
If the host is an internationalized domain name, then it must be
545
provided in unicode format, not in IDNA ACE/punycode format.
547
\param host the hostname that you want to connect to
549
\note The hostname will be used for Server Name Indication
551
<a href="http://www.ietf.org/rfc/rfc3546.txt">RFC 3546</a> Section
552
3.1) if supported by the backend provider.
554
void startClient(const QString &host = QString());
557
Start the %TLS/SSL connection as a server.
562
Resumes %TLS processing.
564
Call this function after hostNameReceived(), certificateRequested()
565
peerCertificateAvailable() or handshaken() is emitted. By
566
requiring this function to be called in order to proceed,
567
applications are given a chance to perform user interaction between
568
steps in the %TLS process.
570
void continueAfterStep();
573
test if the handshake is complete
575
\return true if the handshake is complete
579
bool isHandshaken() const;
582
test if the link is compressed
584
\return true if the link is compressed
586
bool isCompressed() const;
589
The protocol version that is in use for this connection.
591
Version version() const;
594
The cipher suite that has been negotiated for this connection.
596
The name returned here is the name used in the applicable RFC
597
(or Internet Draft, where there is no RFC).
599
QString cipherSuite() const;
602
The number of effective bits of security being used for this
605
This can differ from the actual number of bits in
606
the cipher for certain
607
older "export ciphers" that are deliberately crippled. If you
608
want that information, use cipherMaxBits().
610
int cipherBits() const;
613
The number of bits of security that the cipher could use.
615
This is normally the same as cipherBits(), but can be greater
616
for older "export ciphers".
618
int cipherMaxBits() const;
621
The session object of the %TLS connection, which can be used
624
TLSSession session() const;
627
This method returns the type of error that has
628
occurred. You should only need to check this if the
629
error() signal is emitted.
631
Error errorCode() const;
634
After the SSL/%TLS handshake is complete, this
635
method allows you to determine if the other end
636
of the connection (if the application is a client,
637
this is the server; if the application is a server,
638
this is the client) has a valid identity.
640
Note that the security of %TLS/SSL depends on
641
checking this. It is not enough to check that the
642
certificate is valid - you must check that the
643
certificate is valid for the entity that you are
644
trying to communicate with.
646
\note If this returns QCA::TLS::InvalidCertificate,
647
you may wish to use peerCertificateValidity() to
648
determine whether to proceed or not.
650
IdentityResult peerIdentityResult() const;
653
After the SSL/%TLS handshake is valid, this method
654
allows you to check if the received certificate
655
from the other end is valid. As noted in
656
peerIdentityResult(), you also need to check that
657
the certificate matches the entity you are trying
660
Validity peerCertificateValidity() const;
663
The CertificateChain for the local host
666
CertificateChain localCertificateChain() const;
669
The PrivateKey for the local host
672
PrivateKey localPrivateKey() const;
675
The CertificateChain from the peer (other end of
676
the connection to the trusted root certificate).
678
CertificateChain peerCertificateChain() const;
681
virtual bool isClosable() const;
682
virtual int bytesAvailable() const;
683
virtual int bytesOutgoingAvailable() const;
684
virtual void close();
685
virtual void write(const QByteArray &a);
686
virtual QByteArray read();
687
virtual void writeIncoming(const QByteArray &a);
688
virtual QByteArray readOutgoing(int *plainBytes = 0);
689
virtual QByteArray readUnprocessed();
690
virtual int convertBytesWritten(qint64 encryptedBytes);
693
Determine the number of packets available to be
694
read on the application side.
696
\note this is only used with DTLS.
698
int packetsAvailable() const;
701
Determine the number of packets available to be
702
read on the network side.
704
\note this is only used with DTLS.
706
int packetsOutgoingAvailable() const;
709
Return the currently configured maximum packet size
711
\note this is only used with DTLS
713
int packetMTU() const;
716
Set the maximum packet size to use.
718
\param size the number of bytes to set as the MTU.
720
\note this is only used with DTLS.
722
void setPacketMTU(int size) const;
726
Emitted if a host name is set by the client. At
727
this time, the server can inspect the hostName().
729
You must call continueAfterStep() in order for %TLS
730
processing to resume after this signal is emitted.
732
This signal is only emitted in server mode.
734
\sa continueAfterStep
736
void hostNameReceived();
739
Emitted when the server requests a certificate. At
740
this time, the client can inspect the issuerList().
742
You must call continueAfterStep() in order for %TLS
743
processing to resume after this signal is emitted.
745
This signal is only emitted in client mode.
747
\sa continueAfterStep
749
void certificateRequested();
752
Emitted when a certificate is received from the peer.
753
At this time, you may inspect peerIdentityResult(),
754
peerCertificateValidity(), and peerCertificateChain().
756
You must call continueAfterStep() in order for %TLS
757
processing to resume after this signal is emitted.
759
\sa continueAfterStep
761
void peerCertificateAvailable();
764
Emitted when the protocol handshake is complete. At
765
this time, all available information about the %TLS
766
session can be inspected.
768
You must call continueAfterStep() in order for %TLS
769
processing to resume after this signal is emitted.
771
\sa continueAfterStep
778
Called when a connection is made to a particular signal
780
\param signal the name of the signal that has been
783
void connectNotify(const char *signal);
786
Called when a connection is removed from a particular signal
788
\param signal the name of the signal that has been
791
void disconnectNotify(const char *signal);
797
friend class Private;
802
\class SASL qca_securelayer.h QtCrypto
804
Simple Authentication and Security Layer protocol implementation
806
This class implements the Simple Authenication and Security Layer protocol,
807
which is described in RFC2222 - see
808
<a href="http://www.ietf.org/rfc/rfc2222.txt">http://www.ietf.org/rfc/rfc2222.txt</a>.
810
As the name suggests, %SASL provides authentication (eg, a "login" of some
811
form), for a connection oriented protocol, and can also provide protection
812
for the subsequent connection.
814
The %SASL protocol is designed to be extensible, through a range of
815
"mechanisms", where a mechanism is the actual authentication method.
816
Example mechanisms include Anonymous, LOGIN, Kerberos V4, and GSSAPI.
817
Mechanisms can be added (potentially without restarting the server
818
application) by the system administrator.
820
It is important to understand that %SASL is neither "network aware" nor
821
"protocol aware". That means that %SASL does not understand how the client
822
connects to the server, and %SASL does not understand the actual
823
application protocol.
828
class QCA_EXPORT SASL : public SecureLayer, public Algorithm
833
Possible errors that may occur when using %SASL
837
ErrorInit, ///< problem starting up %SASL
838
ErrorHandshake, ///< problem during the authentication process
839
ErrorCrypt ///< problem at anytime after
843
Possible authentication error states
847
AuthFail, ///< Generic authentication failure
848
NoMechanism, ///< No compatible/appropriate authentication mechanism
849
BadProtocol, ///< Bad protocol or cancelled
850
BadServer, ///< Server failed mutual authentication (client side only)
851
BadAuth, ///< Authentication failure (server side only)
852
NoAuthzid, ///< Authorization failure (server side only)
853
TooWeak, ///< Mechanism too weak for this user (server side only)
854
NeedEncrypt, ///< Encryption is needed in order to use mechanism (server side only)
855
Expired, ///< Passphrase expired, has to be reset (server side only)
856
Disabled, ///< Account is disabled (server side only)
857
NoUser, ///< User not found (server side only)
858
RemoteUnavailable ///< Remote service needed for auth is gone (server side only)
862
Authentication requirement flag values
866
AuthFlagsNone = 0x00,
868
AllowAnonymous = 0x02,
869
RequireForwardSecrecy = 0x04,
870
RequirePassCredentials = 0x08,
871
RequireMutualAuth = 0x10,
872
RequireAuthzidSupport = 0x20 // server-only
876
Mode options for client side sending
880
AllowClientSendFirst,
881
DisableClientSendFirst
885
Mode options for server side sending
890
DisableServerSendLast
894
\class Params qca_securelayer.h QtCrypto
896
Parameter flags for the %SASL authentication
898
This is used to indicate which parameters are needed by %SASL
899
in order to complete the authentication process.
903
class QCA_EXPORT Params
909
Standard constructor.
911
The concept behind this is that you set each of the
912
flags depending on which parameters are needed.
914
\param user the username is required
915
\param authzid the authorization identity is required
916
\param pass the password is required
917
\param realm the realm is required
919
Params(bool user, bool authzid, bool pass, bool realm);
922
Standard copy constructor
924
\param from the Params object to copy
926
Params(const Params &from);
930
Standard assignment operator
932
\param from the Params object to assign from
934
Params & operator=(const Params &from);
939
bool needUsername() const;
942
An Authorization ID can be sent if desired
944
bool canSendAuthzid() const;
949
bool needPassword() const;
952
A Realm can be sent if desired
954
bool canSendRealm() const;
964
\param parent the parent object for this %SASL connection
965
\param provider if specified, the provider to use. If not
966
specified, or specified as empty, then any provider is
969
explicit SASL(QObject *parent = 0, const QString &provider = QString());
974
Reset the %SASL mechanism
979
Specify connection constraints
981
%SASL supports a range of authentication requirements, and
982
a range of security levels. This method allows you to
983
specify the requirements for your connection.
985
\param f the authentication requirements, which you typically
986
build using a binary OR function (eg AllowPlain | AllowAnonymous)
987
\param s the security level of the encryption, if used. See
988
SecurityLevel for details of what each level provides.
990
void setConstraints(AuthFlags f, SecurityLevel s = SL_None);
995
Unless you have a specific reason for directly specifying a
996
strength factor, you probably should use the method above.
998
\param f the authentication requirements, which you typically
999
build using a binary OR function (eg AllowPlain | AllowAnonymous)
1000
\param minSSF the minimum security strength factor that is required
1001
\param maxSSF the maximum security strength factor that is required
1003
\note Security strength factors are a rough approximation to key
1004
length in the encryption function (eg if you are securing with
1005
plain DES, the security strength factor would be 56).
1007
void setConstraints(AuthFlags f, int minSSF, int maxSSF);
1010
Specify the local address.
1012
\param addr the address of the local part of the connection
1013
\param port the port number of the local part of the connection
1015
void setLocalAddress(const QString &addr, quint16 port);
1018
Specify the peer address.
1020
\param addr the address of the peer side of the connection
1021
\param port the port number of the peer side of the connection
1023
void setRemoteAddress(const QString &addr, quint16 port);
1026
Specify the id of the externally secured connection
1028
\param authid the id of the connection
1030
void setExternalAuthId(const QString &authid);
1033
Specify a security strength factor for an externally secured
1036
\param strength the security strength factor of the connection
1038
void setExternalSSF(int strength);
1041
Initialise the client side of the connection
1043
startClient must be called on the client side of the connection.
1044
clientStarted will be emitted when the operation is completed.
1046
\param service the name of the service
1047
\param host the client side host name
1048
\param mechlist the list of mechanisms which can be used
1049
\param mode the mode to use on the client side
1051
void startClient(const QString &service, const QString &host, const QStringList &mechlist, ClientSendMode mode = AllowClientSendFirst);
1054
Initialise the server side of the connection
1056
startServer must be called on the server side of the connection.
1057
serverStarted will be emitted when the operation is completed.
1059
\param service the name of the service
1060
\param host the server side host name
1061
\param realm the realm to use
1062
\param mode which mode to use on the server side
1064
void startServer(const QString &service, const QString &host, const QString &realm, ServerSendMode mode = DisableServerSendLast);
1067
Process the first step in server mode (server)
1069
Call this with the mechanism selected by the client. If there
1070
is initial client data, call the other version of this function
1073
\param mech the mechanism to be used.
1075
void putServerFirstStep(const QString &mech);
1078
Process the first step in server mode (server)
1080
Call this with the mechanism selected by the client, and initial
1081
client data. If there is no initial client data, call the other
1082
version of this function instead.
1084
\param mech the mechanism to be used
1085
\param clientInit the initial data provided by the client side
1087
void putServerFirstStep(const QString &mech, const QByteArray &clientInit);
1090
Process an authentication step
1092
Call this with authentication data received from the network.
1093
The only exception is the first step in server mode, in which
1094
case putServerFirstStep must be called.
1096
\param stepData the authentication data from the network
1098
void putStep(const QByteArray &stepData);
1101
Return the mechanism selected (client)
1103
QString mechanism() const;
1106
Return the mechanism list (server)
1108
QStringList mechanismList() const;
1111
Return the realm list, if available (client)
1113
QStringList realmList() const;
1116
Return the security strength factor of the connection
1121
Return the error code
1123
Error errorCode() const;
1126
Return the reason for authentication failure
1128
AuthCondition authCondition() const;
1131
Specify the username to use in authentication
1133
\param user the username to use
1135
void setUsername(const QString &user);
1138
Specify the authorization identity to use in authentication
1140
\param auth the authorization identity to use
1142
void setAuthzid(const QString &auth);
1145
Specify the password to use in authentication
1147
\param pass the password to use
1149
void setPassword(const SecureArray &pass);
1152
Specify the realm to use in authentication
1154
\param realm the realm to use
1156
void setRealm(const QString &realm);
1159
Continue negotiation after parameters have been set (client)
1161
void continueAfterParams();
1164
Continue negotiation after auth ids have been checked (server)
1166
void continueAfterAuthCheck();
1169
virtual int bytesAvailable() const;
1170
virtual int bytesOutgoingAvailable() const;
1171
virtual void write(const QByteArray &a);
1172
virtual QByteArray read();
1173
virtual void writeIncoming(const QByteArray &a);
1174
virtual QByteArray readOutgoing(int *plainBytes = 0);
1175
virtual int convertBytesWritten(qint64 encryptedBytes);
1179
This signal is emitted when the client has been successfully
1182
\param clientInit true if the client should send an initial
1183
response to the server
1184
\param clientInitData the initial response to send to the server.
1185
Do note that there is a difference in SASL between an empty initial
1186
response and no initial response, and so even if clientInitData is
1187
an empty array, you still need to send an initial response if
1190
void clientStarted(bool clientInit, const QByteArray &clientInitData);
1193
This signal is emitted after the server has been
1194
successfully started
1196
void serverStarted();
1199
This signal is emitted when there is data required
1200
to be sent over the network to complete the next
1201
step in the authentication process.
1203
\param stepData the data to send over the network
1205
void nextStep(const QByteArray &stepData);
1208
This signal is emitted when the client needs
1209
additional parameters
1211
After receiving this signal, the application should set
1212
the required parameter values appropriately and then call
1213
continueAfterParams().
1215
\param params the parameters that are required by the client
1217
void needParams(const QCA::SASL::Params ¶ms);
1220
This signal is emitted when the server needs to
1221
perform the authentication check
1223
If the user and authzid are valid, call continueAfterAuthCheck().
1225
\param user the user identification name
1226
\param authzid the user authorization name
1228
void authCheck(const QString &user, const QString &authzid);
1231
This signal is emitted when authentication is complete.
1233
void authenticated();
1236
Q_DISABLE_COPY(SASL)
1239
friend class Private;