mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-11-24 13:21:05 +00:00
178 lines
6.1 KiB
Plaintext
178 lines
6.1 KiB
Plaintext
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
|
|
*
|
|
* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
|
|
#include "nsISupports.idl"
|
|
|
|
interface nsIInterfaceRequestor;
|
|
interface nsIX509Cert;
|
|
|
|
%{C++
|
|
#include "nsStringFwd.h"
|
|
#include "nsTArrayForwardDeclare.h"
|
|
%}
|
|
[ref] native nsCStringTArrayRef(nsTArray<nsCString>);
|
|
|
|
[scriptable, builtinclass, uuid(418265c8-654e-4fbb-ba62-4eed27de1f03)]
|
|
interface nsISSLSocketControl : nsISupports {
|
|
attribute nsIInterfaceRequestor notificationCallbacks;
|
|
|
|
void proxyStartSSL();
|
|
void StartTLS();
|
|
|
|
/* NPN (Next Protocol Negotiation) is a mechanism for
|
|
negotiating the protocol to be spoken inside the SSL
|
|
tunnel during the SSL handshake. The NPNList is the list
|
|
of offered client side protocols. setNPNList() needs to
|
|
be called before any data is read or written (including the
|
|
handshake to be setup correctly. The server determines the
|
|
priority when multiple matches occur, but if there is no overlap
|
|
the first protocol in the list is used. */
|
|
|
|
[noscript] void setNPNList(in nsCStringTArrayRef aNPNList);
|
|
|
|
/* negotiatedNPN is '' if no NPN list was provided by the client,
|
|
* or if the server did not select any protocol choice from that
|
|
* list. That also includes the case where the server does not
|
|
* implement NPN.
|
|
*
|
|
* If negotiatedNPN is read before NPN has progressed to the point
|
|
* where this information is available NS_ERROR_NOT_CONNECTED is
|
|
* raised.
|
|
*/
|
|
readonly attribute ACString negotiatedNPN;
|
|
|
|
/* For 0RTT we need to know the alpn protocol selected for the last tls
|
|
* session. This function will return a value if applicable or an error
|
|
* NS_ERROR_NOT_AVAILABLE.
|
|
*/
|
|
ACString getAlpnEarlySelection();
|
|
|
|
/* If 0RTT handshake was applied and some data has been sent, as soon as
|
|
* the handshake finishes this attribute will be set to appropriate value.
|
|
*/
|
|
readonly attribute bool earlyDataAccepted;
|
|
|
|
/* When 0RTT is performed, PR_Write will not drive the handshake forward.
|
|
* It must be forced by calling this function.
|
|
*/
|
|
void driveHandshake();
|
|
|
|
/* Determine if a potential SSL connection to hostname:port with
|
|
* a desired NPN negotiated protocol of npnProtocol can use the socket
|
|
* associated with this object instead of making a new one. And if so, combine
|
|
* them.
|
|
*/
|
|
boolean joinConnection(
|
|
in ACString npnProtocol, /* e.g. "h2" */
|
|
in ACString hostname,
|
|
in long port);
|
|
|
|
/* just like JoinConnection() except do not mark a successful test as joined.
|
|
*/
|
|
boolean testJoinConnection(
|
|
in ACString npnProtocol, /* e.g. "h2" */
|
|
in ACString hostname,
|
|
in long port);
|
|
|
|
/* Determine if existing connection should be trusted to convey information about
|
|
* a hostname.
|
|
*/
|
|
boolean isAcceptableForHost(in ACString hostname);
|
|
|
|
/* The Key Exchange Algorithm is used when determining whether or
|
|
not HTTP/2 can be used.
|
|
|
|
After a handshake is complete it can be read from KEAUsed.
|
|
The values correspond to the SSLKEAType enum in NSS or the
|
|
KEY_EXCHANGE_UNKNOWN constant defined below.
|
|
|
|
KEAKeyBits is the size/security-level used for the KEA.
|
|
*/
|
|
|
|
[infallible] readonly attribute short KEAUsed;
|
|
[infallible] readonly attribute unsigned long KEAKeyBits;
|
|
|
|
const short KEY_EXCHANGE_UNKNOWN = -1;
|
|
|
|
/*
|
|
* The original flags from the socket provider.
|
|
*/
|
|
readonly attribute uint32_t providerFlags;
|
|
|
|
/*
|
|
* The original TLS flags from the socket provider.
|
|
*/
|
|
readonly attribute uint32_t providerTlsFlags;
|
|
|
|
/* These values are defined by TLS. */
|
|
const short SSL_VERSION_3 = 0x0300;
|
|
const short TLS_VERSION_1 = 0x0301;
|
|
const short TLS_VERSION_1_1 = 0x0302;
|
|
const short TLS_VERSION_1_2 = 0x0303;
|
|
const short TLS_VERSION_1_3 = 0x0304;
|
|
const short SSL_VERSION_UNKNOWN = -1;
|
|
|
|
[infallible] readonly attribute short SSLVersionUsed;
|
|
[infallible] readonly attribute short SSLVersionOffered;
|
|
|
|
/* These values match the NSS defined values in sslt.h */
|
|
const short SSL_MAC_UNKNOWN = -1;
|
|
const short SSL_MAC_NULL = 0;
|
|
const short SSL_MAC_MD5 = 1;
|
|
const short SSL_MAC_SHA = 2;
|
|
const short SSL_HMAC_MD5 = 3;
|
|
const short SSL_HMAC_SHA = 4;
|
|
const short SSL_HMAC_SHA256 = 5;
|
|
const short SSL_MAC_AEAD = 6;
|
|
|
|
[infallible] readonly attribute short MACAlgorithmUsed;
|
|
|
|
/**
|
|
* If set to true before the server requests a client cert
|
|
* no cert will be sent.
|
|
*/
|
|
[notxpcom, nostdcall] attribute boolean denyClientCert;
|
|
|
|
/**
|
|
* If set before the server requests a client cert (assuming it does so at
|
|
* all), then this cert will be presented to the server, instead of asking
|
|
* the user or searching the set of rememebered user cert decisions.
|
|
*/
|
|
attribute nsIX509Cert clientCert;
|
|
|
|
/**
|
|
* True iff a client cert has been sent to the server - i.e. this
|
|
* socket has been client-cert authenticated.
|
|
*/
|
|
[infallible] readonly attribute boolean clientCertSent;
|
|
|
|
/**
|
|
* bypassAuthentication is true if the server certificate checks are
|
|
* not be enforced. This is to enable non-secure transport over TLS.
|
|
*/
|
|
[infallible] readonly attribute boolean bypassAuthentication;
|
|
|
|
/*
|
|
* failedVerification is true if any enforced certificate checks have failed.
|
|
* Connections that have not yet tried to verify, have verifications bypassed,
|
|
* or are using acceptable exceptions will all return false.
|
|
*/
|
|
[infallible] readonly attribute boolean failedVerification;
|
|
|
|
/*
|
|
* esniTxt is a string that consists of the concatenated _esni. TXT records.
|
|
* This is a base64 encoded ESNIKeys structure.
|
|
*/
|
|
attribute ACString esniTxt;
|
|
|
|
/**
|
|
* If the server certificate is present, serverCertIsBuiltInRoot is true if
|
|
* the root certificate for the server certificate is built in.
|
|
*/
|
|
readonly attribute boolean serverRootCertIsBuiltInRoot;
|
|
};
|
|
|