DTLS 服务器
本例演示了如何实现一个简单的 DTLS 服务器。
注意: DTLS 服务器示例应与DTLS 客户端示例同时运行。
服务器由 DtlsServer 类实现。它使用QUdpSocket 、QDtlsClientVerifier 和QDtls 来测试每个客户端的可达性、完成握手以及读写加密消息。
class DtlsServer : public QObject { Q_OBJECT public: DtlsServer(); ~DtlsServer(); bool listen(const QHostAddress &address, quint16 port); bool isListening() const; void close(); signals: void errorMessage(const QString &message); void warningMessage(const QString &message); void infoMessage(const QString &message); void datagramReceived(const QString &peerInfo, const QByteArray &cipherText, const QByteArray &plainText); private slots: void readyRead(); void pskRequired(QSslPreSharedKeyAuthenticator *auth); private: void handleNewConnection(const QHostAddress &peerAddress, quint16 peerPort, const QByteArray &clientHello); void doHandshake(QDtls *newConnection, const QByteArray &clientHello); void decryptDatagram(QDtls *connection, const QByteArray &clientMessage); void shutdown(); bool listening = false; QUdpSocket serverSocket; QSslConfiguration serverConfiguration; QDtlsClientVerifier cookieSender; std::vector<std::unique_ptr<QDtls>> knownClients; Q_DISABLE_COPY(DtlsServer) };
构造函数将QUdpSocket::readyRead() 信号连接到 readyRead() 槽,并设置所需的最低 TLS 配置:
DtlsServer::DtlsServer() { connect(&serverSocket, &QAbstractSocket::readyRead, this, &DtlsServer::readyRead); serverConfiguration = QSslConfiguration::defaultDtlsConfiguration(); serverConfiguration.setPreSharedKeyIdentityHint("Qt DTLS example server"); serverConfiguration.setPeerVerifyMode(QSslSocket::VerifyNone); }
注意: 服务器不使用证书,而是依靠预共享密钥(PSK)握手。
listen() 绑定QUdpSocket :
bool DtlsServer::listen(const QHostAddress &address, quint16 port) { if (address != serverSocket.localAddress() || port != serverSocket.localPort()) { shutdown(); listening = serverSocket.bind(address, port); if (!listening) emit errorMessage(serverSocket.errorString()); } else { listening = true; } return listening; }
readyRead() 插槽处理传入的数据报:
... const qint64 bytesToRead = serverSocket.pendingDatagramSize(); if (bytesToRead <= 0) { emit warningMessage(tr("A spurious read notification")); return; } QByteArray dgram(bytesToRead, Qt::Uninitialized); QHostAddress peerAddress; quint16 peerPort = 0; const qint64 bytesRead = serverSocket.readDatagram(dgram.data(), dgram.size(), &peerAddress, &peerPort); if (bytesRead <= 0) { emit warningMessage(tr("Failed to read a datagram: ") + serverSocket.errorString()); return; } dgram.resize(bytesRead); ...
在提取地址和端口号后,服务器首先会测试数据报是否来自已知的对等网络:
... if (peerAddress.isNull() || !peerPort) { emit warningMessage(tr("Failed to extract peer info (address, port)")); return; } const auto client = std::find_if(knownClients.begin(), knownClients.end(), [&](const std::unique_ptr<QDtls> &connection){ return connection->peerAddress() == peerAddress && connection->peerPort() == peerPort; }); ...
如果是新的、未知的地址和端口,数据报将作为 DTLS 客户端发送的潜在 ClientHello 消息处理:
... if (client == knownClients.end()) return handleNewConnection(peerAddress, peerPort, dgram); ...
如果是已知的 DTLS 客户端,服务器会解密数据报:
... if ((*client)->isConnectionEncrypted()) { decryptDatagram(client->get(), dgram); if ((*client)->dtlsError() == QDtlsError::RemoteClosedConnectionError) knownClients.erase(client); return; } ...
或继续与该对等节点握手:
... doHandshake(client->get(), dgram); ...
handleNewConnection()验证它是否是一个可连接的 DTLS 客户端,或者发送 HelloVerifyRequest:
void DtlsServer::handleNewConnection(const QHostAddress &peerAddress, quint16 peerPort, const QByteArray &clientHello) { if (!listening) return; const QString peerInfo = peer_info(peerAddress, peerPort); if (cookieSender.verifyClient(&serverSocket, clientHello, peerAddress, peerPort)) { emit infoMessage(peerInfo + tr(": verified, starting a handshake")); ...
如果新客户端被验证为可连接的 DTLS 客户端,服务器就会创建并配置一个新的QDtls 对象,并开始服务器端握手:
... std::unique_ptr<QDtls> newConnection{new QDtls{QSslSocket::SslServerMode}}; newConnection->setDtlsConfiguration(serverConfiguration); newConnection->setPeer(peerAddress, peerPort); newConnection->connect(newConnection.get(), &QDtls::pskRequired, this, &DtlsServer::pskRequired); knownClients.push_back(std::move(newConnection)); doHandshake(knownClients.back().get(), clientHello); ...
doHandshake() 开始握手阶段:
void DtlsServer::doHandshake(QDtls *newConnection, const QByteArray &clientHello) { const bool result = newConnection->doHandshake(&serverSocket, clientHello); if (!result) { emit errorMessage(newConnection->dtlsErrorString()); return; } const QString peerInfo = peer_info(newConnection->peerAddress(), newConnection->peerPort()); switch (newConnection->handshakeState()) { case QDtls::HandshakeInProgress: emit infoMessage(peerInfo + tr(": handshake is in progress ...")); break; case QDtls::HandshakeComplete: emit infoMessage(tr("Connection with %1 encrypted. %2") .arg(peerInfo, connection_info(newConnection))); break; default: Q_UNREACHABLE(); } }
在握手阶段,会发出QDtls::pskRequired() 信号,pskRequired() 槽会提供预共享密钥:
void DtlsServer::pskRequired(QSslPreSharedKeyAuthenticator *auth) { Q_ASSERT(auth); emit infoMessage(tr("PSK callback, received a client's identity: '%1'") .arg(QString::fromLatin1(auth->identity()))); auth->setPreSharedKey(QByteArrayLiteral("\x1a\x2b\x3c\x4d\x5e\x6f")); }
注: 为简洁起见,pskRequired() 的定义过于简化。QSslPreSharedKeyAuthenticator 类的文档详细解释了如何正确执行该插槽。
网络对等端完成握手后,加密的 DTLS 连接即被视为已建立,服务器会调用 decryptDatagram() 来解密对等端发送的后续数据报。服务器还会向对等网络发送加密响应:
void DtlsServer::decryptDatagram(QDtls *connection, const QByteArray &clientMessage) { Q_ASSERT(connection->isConnectionEncrypted()); const QString peerInfo = peer_info(connection->peerAddress(), connection->peerPort()); const QByteArray dgram = connection->decryptDatagram(&serverSocket, clientMessage); if (dgram.size()) { emit datagramReceived(peerInfo, clientMessage, dgram); connection->writeDatagramEncrypted(&serverSocket, tr("to %1: ACK").arg(peerInfo).toLatin1()); } else if (connection->dtlsError() == QDtlsError::NoError) { emit warningMessage(peerInfo + ": " + tr("0 byte dgram, could be a re-connect attempt?")); } else { emit errorMessage(peerInfo + ": " + connection->dtlsErrorString()); } }
服务器通过调用QDtls::shutdown() 关闭 DTLS 连接:
void DtlsServer::shutdown() { for (const auto &connection : std::exchange(knownClients, {})) connection->shutdown(&serverSocket); serverSocket.close(); }
在运行过程中,服务器通过发出 errorMessage()、warningMessage()、infoMessage() 和 datagramReceived() 信号来报告错误、信息消息和解密数据报。服务器的用户界面会记录这些消息:
const QString colorizer(QStringLiteral("<font color=\"%1\">%2</font><br>")); void MainWindow::addErrorMessage(const QString &message) { ui->serverInfo->insertHtml(colorizer.arg(QStringLiteral("Crimson"), message)); } void MainWindow::addWarningMessage(const QString &message) { ui->serverInfo->insertHtml(colorizer.arg(QStringLiteral("DarkOrange"), message)); } void MainWindow::addInfoMessage(const QString &message) { ui->serverInfo->insertHtml(colorizer.arg(QStringLiteral("DarkBlue"), message)); } void MainWindow::addClientMessage(const QString &peerInfo, const QByteArray &datagram, const QByteArray &plainText) { static const QString messageColor = QStringLiteral("DarkMagenta"); static const QString formatter = QStringLiteral("<br>---------------" "<br>A message from %1" "<br>DTLS datagram:<br> %2" "<br>As plain text:<br> %3"); const QString html = formatter.arg(peerInfo, QString::fromUtf8(datagram.toHex(' ')), QString::fromUtf8(plainText)); ui->messages->insertHtml(colorizer.arg(messageColor, html)); }
© 2025 The Qt Company Ltd. Documentation contributions included herein are the copyrights of their respective owners. The documentation provided herein is licensed under the terms of the GNU Free Documentation License version 1.3 as published by the Free Software Foundation. Qt and respective logos are trademarks of The Qt Company Ltd. in Finland and/or other countries worldwide. All other trademarks are property of their respective owners.
