summaryrefslogtreecommitdiffstats
path: root/security/manager/ssl/nsNSSIOLayer.h
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-19 01:47:29 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-19 01:47:29 +0000
commit0ebf5bdf043a27fd3dfb7f92e0cb63d88954c44d (patch)
treea31f07c9bcca9d56ce61e9a1ffd30ef350d513aa /security/manager/ssl/nsNSSIOLayer.h
parentInitial commit. (diff)
downloadfirefox-esr-0ebf5bdf043a27fd3dfb7f92e0cb63d88954c44d.tar.xz
firefox-esr-0ebf5bdf043a27fd3dfb7f92e0cb63d88954c44d.zip
Adding upstream version 115.8.0esr.upstream/115.8.0esr
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'security/manager/ssl/nsNSSIOLayer.h')
-rw-r--r--security/manager/ssl/nsNSSIOLayer.h134
1 files changed, 134 insertions, 0 deletions
diff --git a/security/manager/ssl/nsNSSIOLayer.h b/security/manager/ssl/nsNSSIOLayer.h
new file mode 100644
index 0000000000..c819889257
--- /dev/null
+++ b/security/manager/ssl/nsNSSIOLayer.h
@@ -0,0 +1,134 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef nsNSSIOLayer_h
+#define nsNSSIOLayer_h
+
+#include "mozilla/Assertions.h"
+#include "mozilla/TimeStamp.h"
+#include "mozilla/UniquePtr.h"
+#include "nsCOMPtr.h"
+#include "nsIProxyInfo.h"
+#include "nsITLSSocketControl.h"
+#include "nsITlsHandshakeListener.h"
+#include "nsNSSCertificate.h"
+#include "nsTHashMap.h"
+#include "nsTHashtable.h"
+#include "sslt.h"
+
+namespace mozilla {
+class OriginAttributes;
+namespace psm {
+class SharedSSLState;
+} // namespace psm
+} // namespace mozilla
+
+const uint32_t kIPCClientCertsSlotTypeModern = 1;
+const uint32_t kIPCClientCertsSlotTypeLegacy = 2;
+
+using mozilla::OriginAttributes;
+
+class nsIObserver;
+
+// Order matters for UpdateEchExtensioNStatus.
+enum class EchExtensionStatus {
+ kNotPresent, // No ECH Extension was sent
+ kGREASE, // A GREASE ECH Extension was sent
+ kReal // A 'real' ECH Extension was sent
+};
+
+class nsSSLIOLayerHelpers {
+ public:
+ explicit nsSSLIOLayerHelpers(uint32_t aTlsFlags = 0);
+ ~nsSSLIOLayerHelpers();
+
+ nsresult Init();
+ void Cleanup();
+
+ static bool nsSSLIOLayerInitialized;
+ static PRDescIdentity nsSSLIOLayerIdentity;
+ static PRDescIdentity nsSSLPlaintextLayerIdentity;
+ static PRIOMethods nsSSLIOLayerMethods;
+ static PRIOMethods nsSSLPlaintextLayerMethods;
+
+ bool mTreatUnsafeNegotiationAsBroken;
+
+ void setTreatUnsafeNegotiationAsBroken(bool broken);
+ bool treatUnsafeNegotiationAsBroken();
+
+ private:
+ struct IntoleranceEntry {
+ uint16_t tolerant;
+ uint16_t intolerant;
+ PRErrorCode intoleranceReason;
+
+ void AssertInvariant() const {
+ MOZ_ASSERT(intolerant == 0 || tolerant < intolerant);
+ }
+ };
+ nsTHashMap<nsCStringHashKey, IntoleranceEntry> mTLSIntoleranceInfo;
+ // Sites that require insecure fallback to TLS 1.0, set by the pref
+ // security.tls.insecure_fallback_hosts, which is a comma-delimited
+ // list of domain names.
+ nsTHashtable<nsCStringHashKey> mInsecureFallbackSites;
+
+ public:
+ void rememberTolerantAtVersion(const nsACString& hostname, int16_t port,
+ uint16_t tolerant);
+ bool fallbackLimitReached(const nsACString& hostname, uint16_t intolerant);
+ bool rememberIntolerantAtVersion(const nsACString& hostname, int16_t port,
+ uint16_t intolerant, uint16_t minVersion,
+ PRErrorCode intoleranceReason);
+ void forgetIntolerance(const nsACString& hostname, int16_t port);
+ void adjustForTLSIntolerance(const nsACString& hostname, int16_t port,
+ /*in/out*/ SSLVersionRange& range);
+ PRErrorCode getIntoleranceReason(const nsACString& hostname, int16_t port);
+
+ void clearStoredData();
+ void loadVersionFallbackLimit();
+ void setInsecureFallbackSites(const nsCString& str);
+ void initInsecureFallbackSites();
+ bool isPublic() const;
+ void removeInsecureFallbackSite(const nsACString& hostname, uint16_t port);
+ bool isInsecureFallbackSite(const nsACString& hostname);
+
+ uint16_t mVersionFallbackLimit;
+
+ private:
+ mozilla::Mutex mutex MOZ_UNANNOTATED;
+ nsCOMPtr<nsIObserver> mPrefObserver;
+ uint32_t mTlsFlags;
+};
+
+nsresult nsSSLIOLayerNewSocket(int32_t family, const char* host, int32_t port,
+ nsIProxyInfo* proxy,
+ const OriginAttributes& originAttributes,
+ PRFileDesc** fd,
+ nsITLSSocketControl** tlsSocketControl,
+ bool forSTARTTLS, uint32_t flags,
+ uint32_t tlsFlags);
+
+nsresult nsSSLIOLayerAddToSocket(int32_t family, const char* host, int32_t port,
+ nsIProxyInfo* proxy,
+ const OriginAttributes& originAttributes,
+ PRFileDesc* fd,
+ nsITLSSocketControl** tlsSocketControl,
+ bool forSTARTTLS, uint32_t flags,
+ uint32_t tlsFlags);
+
+extern "C" {
+using FindObjectsCallback = void (*)(uint8_t type, size_t id_len,
+ const uint8_t* id, size_t data_len,
+ const uint8_t* data, uint32_t slotType,
+ void* ctx);
+void DoFindObjects(FindObjectsCallback cb, void* ctx);
+using SignCallback = void (*)(size_t data_len, const uint8_t* data, void* ctx);
+void DoSign(size_t cert_len, const uint8_t* cert, size_t data_len,
+ const uint8_t* data, size_t params_len, const uint8_t* params,
+ SignCallback cb, void* ctx);
+}
+
+#endif // nsNSSIOLayer_h