diff options
Diffstat (limited to 'security/manager/ssl/nsITLSSocketControl.idl')
-rw-r--r-- | security/manager/ssl/nsITLSSocketControl.idl | 187 |
1 files changed, 187 insertions, 0 deletions
diff --git a/security/manager/ssl/nsITLSSocketControl.idl b/security/manager/ssl/nsITLSSocketControl.idl new file mode 100644 index 0000000000..ae34ec73b6 --- /dev/null +++ b/security/manager/ssl/nsITLSSocketControl.idl @@ -0,0 +1,187 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsISupports.idl" + +interface nsIInterfaceRequestor; +interface nsITlsHandshakeCallbackListener; +interface nsITransportSecurityInfo; +interface nsIX509Cert; + +%{C++ +#include "nsStringFwd.h" +#include "nsTArrayForwardDeclare.h" +%} +[ref] native nsCStringTArrayRef(nsTArray<nsCString>); + +// An interface describing an object that controls and holds information about +// a TLS handshake. +// NB: The implementations of this interface may only be used on the socket +// thread (except for asyncGetSecurityInfo); +[scriptable, builtinclass, uuid(418265c8-654e-4fbb-ba62-4eed27de1f03)] +interface nsITLSSocketControl : nsISupports { + void proxyStartSSL(); + void StartTLS(); + + /* NPN (Next Protocol Negotiation) is a mechanism for + negotiating the protocol to be spoken inside the SSL + tunnel during the SSL handshake. The NPNList is the list + of offered client side protocols. setNPNList() needs to + be called before any data is read or written (including the + handshake to be setup correctly. The server determines the + priority when multiple matches occur, but if there is no overlap + the first protocol in the list is used. */ + + [noscript] void setNPNList(in nsCStringTArrayRef aNPNList); + + /* For 0RTT we need to know the alpn protocol selected for the last tls + * session. This function will return a value if applicable or an error + * NS_ERROR_NOT_AVAILABLE. + */ + ACString getAlpnEarlySelection(); + + /* If 0RTT handshake was applied and some data has been sent, as soon as + * the handshake finishes this attribute will be set to appropriate value. + */ + readonly attribute bool earlyDataAccepted; + + /* When 0RTT is performed, PR_Write will not drive the handshake forward. + * It must be forced by calling this function. + */ + void driveHandshake(); + + /* Determine if a potential SSL connection to hostname:port with + * a desired NPN negotiated protocol of npnProtocol can use the socket + * associated with this object instead of making a new one. And if so, combine + * them. + */ + boolean joinConnection( + in ACString npnProtocol, /* e.g. "h2" */ + in ACString hostname, + in long port); + + /* just like JoinConnection() except do not mark a successful test as joined. + */ + boolean testJoinConnection( + in ACString npnProtocol, /* e.g. "h2" */ + in ACString hostname, + in long port); + + /* Determine if existing connection should be trusted to convey information about + * a hostname. + */ + boolean isAcceptableForHost(in ACString hostname); + + /* The Key Exchange Algorithm is used when determining whether or + not HTTP/2 can be used. + + After a handshake is complete it can be read from KEAUsed. + The values correspond to the SSLKEAType enum in NSS or the + KEY_EXCHANGE_UNKNOWN constant defined below. + + KEAKeyBits is the size/security-level used for the KEA. + */ + + [infallible] readonly attribute short KEAUsed; + [infallible] readonly attribute unsigned long KEAKeyBits; + + const short KEY_EXCHANGE_UNKNOWN = -1; + + /* + * The original flags from the socket provider. + */ + readonly attribute uint32_t providerFlags; + + /* These values are defined by TLS. */ + const short SSL_VERSION_3 = 0x0300; + const short TLS_VERSION_1 = 0x0301; + const short TLS_VERSION_1_1 = 0x0302; + const short TLS_VERSION_1_2 = 0x0303; + const short TLS_VERSION_1_3 = 0x0304; + const short SSL_VERSION_UNKNOWN = -1; + + [infallible] readonly attribute short SSLVersionUsed; + [infallible] readonly attribute short SSLVersionOffered; + + /* These values match the NSS defined values in sslt.h */ + const short SSL_MAC_UNKNOWN = -1; + const short SSL_MAC_NULL = 0; + const short SSL_MAC_MD5 = 1; + const short SSL_MAC_SHA = 2; + const short SSL_HMAC_MD5 = 3; + const short SSL_HMAC_SHA = 4; + const short SSL_HMAC_SHA256 = 5; + const short SSL_MAC_AEAD = 6; + + [infallible] readonly attribute short MACAlgorithmUsed; + + /** + * If set to true before the server requests a client cert + * no cert will be sent. + */ + [notxpcom, nostdcall] attribute boolean denyClientCert; + + /** + * True iff a client cert has been sent to the server - i.e. this + * socket has been client-cert authenticated. + */ + [infallible] readonly attribute boolean clientCertSent; + + /* + * failedVerification is true if any enforced certificate checks have failed. + * Connections that have not yet tried to verify, or are using acceptable + * exceptions will all return false. + */ + [infallible] readonly attribute boolean failedVerification; + + /* + * esniTxt is a string that consists of the concatenated _esni. TXT records. + * This is a base64 encoded ESNIKeys structure. + */ + attribute ACString esniTxt; + + /* + * echConfig is defined for conveying the ECH configuration. + * This is encoded in base64. + */ + attribute ACString echConfig; + + /** + * The echConfig that should be used to retry for the connection setup. + */ + readonly attribute ACString retryEchConfig; + + /** + * Disable early data. + */ + [noscript] void disableEarlyData(); + + [noscript] void setHandshakeCallbackListener(in nsITlsHandshakeCallbackListener callback); + + /** + * The id used to uniquely identify the connection to the peer. + */ + readonly attribute ACString peerId; + + /** + * The securityInfo of the TLS handshake. + */ + readonly attribute nsITransportSecurityInfo securityInfo; + + /** + * Asynchronously obtain the securityInfo of the TLS handshake. Resolves + * with an nsITransportSecurityInfo. This should probably only be used in + * tests, where JS running on the main thread cannot access any of the + * other fields of nsITLSSocketControl. + */ + [implicit_jscontext, must_use] + Promise asyncGetSecurityInfo(); + + /** + * Claim a speculative connection. + */ + void claim(); +}; |