diff options
Diffstat (limited to '')
-rw-r--r-- | netwerk/socket/nsISSLSocketControl.idl | 170 |
1 files changed, 170 insertions, 0 deletions
diff --git a/netwerk/socket/nsISSLSocketControl.idl b/netwerk/socket/nsISSLSocketControl.idl new file mode 100644 index 0000000000..41e653177f --- /dev/null +++ b/netwerk/socket/nsISSLSocketControl.idl @@ -0,0 +1,170 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsISupports.idl" + +interface nsIInterfaceRequestor; +interface nsIX509Cert; + +%{C++ +#include "nsStringFwd.h" +#include "nsTArrayForwardDeclare.h" +%} +[ref] native nsCStringTArrayRef(nsTArray<nsCString>); + +[scriptable, builtinclass, uuid(418265c8-654e-4fbb-ba62-4eed27de1f03)] +interface nsISSLSocketControl : nsISupports { + attribute nsIInterfaceRequestor notificationCallbacks; + + void proxyStartSSL(); + void StartTLS(); + + /* NPN (Next Protocol Negotiation) is a mechanism for + negotiating the protocol to be spoken inside the SSL + tunnel during the SSL handshake. The NPNList is the list + of offered client side protocols. setNPNList() needs to + be called before any data is read or written (including the + handshake to be setup correctly. The server determines the + priority when multiple matches occur, but if there is no overlap + the first protocol in the list is used. */ + + [noscript] void setNPNList(in nsCStringTArrayRef aNPNList); + + /* For 0RTT we need to know the alpn protocol selected for the last tls + * session. This function will return a value if applicable or an error + * NS_ERROR_NOT_AVAILABLE. + */ + ACString getAlpnEarlySelection(); + + /* If 0RTT handshake was applied and some data has been sent, as soon as + * the handshake finishes this attribute will be set to appropriate value. + */ + readonly attribute bool earlyDataAccepted; + + /* When 0RTT is performed, PR_Write will not drive the handshake forward. + * It must be forced by calling this function. + */ + void driveHandshake(); + + /* Determine if a potential SSL connection to hostname:port with + * a desired NPN negotiated protocol of npnProtocol can use the socket + * associated with this object instead of making a new one. And if so, combine + * them. + */ + boolean joinConnection( + in ACString npnProtocol, /* e.g. "h2" */ + in ACString hostname, + in long port); + + /* just like JoinConnection() except do not mark a successful test as joined. + */ + boolean testJoinConnection( + in ACString npnProtocol, /* e.g. "h2" */ + in ACString hostname, + in long port); + + /* Determine if existing connection should be trusted to convey information about + * a hostname. + */ + boolean isAcceptableForHost(in ACString hostname); + + /* The Key Exchange Algorithm is used when determining whether or + not HTTP/2 can be used. + + After a handshake is complete it can be read from KEAUsed. + The values correspond to the SSLKEAType enum in NSS or the + KEY_EXCHANGE_UNKNOWN constant defined below. + + KEAKeyBits is the size/security-level used for the KEA. + */ + + [infallible] readonly attribute short KEAUsed; + [infallible] readonly attribute unsigned long KEAKeyBits; + + const short KEY_EXCHANGE_UNKNOWN = -1; + + /* + * The original flags from the socket provider. + */ + readonly attribute uint32_t providerFlags; + + /* + * The original TLS flags from the socket provider. + */ + readonly attribute uint32_t providerTlsFlags; + + /* These values are defined by TLS. */ + const short SSL_VERSION_3 = 0x0300; + const short TLS_VERSION_1 = 0x0301; + const short TLS_VERSION_1_1 = 0x0302; + const short TLS_VERSION_1_2 = 0x0303; + const short TLS_VERSION_1_3 = 0x0304; + const short SSL_VERSION_UNKNOWN = -1; + + [infallible] readonly attribute short SSLVersionUsed; + [infallible] readonly attribute short SSLVersionOffered; + + /* These values match the NSS defined values in sslt.h */ + const short SSL_MAC_UNKNOWN = -1; + const short SSL_MAC_NULL = 0; + const short SSL_MAC_MD5 = 1; + const short SSL_MAC_SHA = 2; + const short SSL_HMAC_MD5 = 3; + const short SSL_HMAC_SHA = 4; + const short SSL_HMAC_SHA256 = 5; + const short SSL_MAC_AEAD = 6; + + [infallible] readonly attribute short MACAlgorithmUsed; + + /** + * If set to true before the server requests a client cert + * no cert will be sent. + */ + [notxpcom, nostdcall] attribute boolean denyClientCert; + + /** + * If set before the server requests a client cert (assuming it does so at + * all), then this cert will be presented to the server, instead of asking + * the user or searching the set of rememebered user cert decisions. + */ + attribute nsIX509Cert clientCert; + + /** + * True iff a client cert has been sent to the server - i.e. this + * socket has been client-cert authenticated. + */ + [infallible] readonly attribute boolean clientCertSent; + + /* + * failedVerification is true if any enforced certificate checks have failed. + * Connections that have not yet tried to verify, or are using acceptable + * exceptions will all return false. + */ + [infallible] readonly attribute boolean failedVerification; + + /* + * esniTxt is a string that consists of the concatenated _esni. TXT records. + * This is a base64 encoded ESNIKeys structure. + */ + attribute ACString esniTxt; + + /* + * echConfig is defined for conveying the ECH configuration. + * This is encoded in base64. + */ + attribute ACString echConfig; + + /** + * The id used to uniquely identify the connection to the peer. + */ + readonly attribute ACString peerId; + + /** + * The echConfig that should be used to retry for the connection setup. + */ + readonly attribute ACString retryEchConfig; +}; + |