summaryrefslogtreecommitdiffstats
path: root/netwerk/socket/nsISSLSocketControl.idl
diff options
context:
space:
mode:
Diffstat (limited to 'netwerk/socket/nsISSLSocketControl.idl')
-rw-r--r--netwerk/socket/nsISSLSocketControl.idl140
1 files changed, 140 insertions, 0 deletions
diff --git a/netwerk/socket/nsISSLSocketControl.idl b/netwerk/socket/nsISSLSocketControl.idl
new file mode 100644
index 000000000..b8c2b4184
--- /dev/null
+++ b/netwerk/socket/nsISSLSocketControl.idl
@@ -0,0 +1,140 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsISupports.idl"
+
+interface nsIInterfaceRequestor;
+interface nsIX509Cert;
+
+%{C++
+#include "nsTArrayForwardDeclare.h"
+class nsCString;
+%}
+[ref] native nsCStringTArrayRef(nsTArray<nsCString>);
+
+[scriptable, builtinclass, uuid(418265c8-654e-4fbb-ba62-4eed27de1f03)]
+interface nsISSLSocketControl : nsISupports {
+ attribute nsIInterfaceRequestor notificationCallbacks;
+
+ void proxyStartSSL();
+ void StartTLS();
+
+ /* NPN (Next Protocol Negotiation) is a mechanism for
+ negotiating the protocol to be spoken inside the SSL
+ tunnel during the SSL handshake. The NPNList is the list
+ of offered client side protocols. setNPNList() needs to
+ be called before any data is read or written (including the
+ handshake to be setup correctly. The server determines the
+ priority when multiple matches occur, but if there is no overlap
+ the first protocol in the list is used. */
+
+ [noscript] void setNPNList(in nsCStringTArrayRef aNPNList);
+
+ /* negotiatedNPN is '' if no NPN list was provided by the client,
+ * or if the server did not select any protocol choice from that
+ * list. That also includes the case where the server does not
+ * implement NPN.
+ *
+ * If negotiatedNPN is read before NPN has progressed to the point
+ * where this information is available NS_ERROR_NOT_CONNECTED is
+ * raised.
+ */
+ readonly attribute ACString negotiatedNPN;
+
+ /* For 0RTT we need to know the alpn protocol selected for the last tls
+ * session. This function will return a value if applicable or an error
+ * NS_ERROR_NOT_AVAILABLE.
+ */
+ ACString getAlpnEarlySelection();
+
+ /* If 0RTT handshake was applied and some data has been sent, as soon as
+ * the handshake finishes this attribute will be set to appropriate value.
+ */
+ readonly attribute bool earlyDataAccepted;
+
+ /* When 0RTT is performed, PR_Write will not drive the handshake forward.
+ * It must be forced by calling this function.
+ */
+ void driveHandshake();
+
+ /* Determine if a potential SSL connection to hostname:port with
+ * a desired NPN negotiated protocol of npnProtocol can use the socket
+ * associated with this object instead of making a new one.
+ */
+ boolean joinConnection(
+ in ACString npnProtocol, /* e.g. "spdy/2" */
+ in ACString hostname,
+ in long port);
+
+ /* Determine if existing connection should be trusted to convey information about
+ * a hostname.
+ */
+ boolean isAcceptableForHost(in ACString hostname);
+
+ /* The Key Exchange Algorithm is used when determining whether or
+ not HTTP/2 can be used.
+
+ After a handshake is complete it can be read from KEAUsed.
+ The values correspond to the SSLKEAType enum in NSS or the
+ KEY_EXCHANGE_UNKNOWN constant defined below.
+
+ KEAKeyBits is the size/security-level used for the KEA.
+ */
+
+ [infallible] readonly attribute short KEAUsed;
+ [infallible] readonly attribute unsigned long KEAKeyBits;
+
+ const short KEY_EXCHANGE_UNKNOWN = -1;
+
+ /*
+ * The original flags from the socket provider.
+ */
+ readonly attribute uint32_t providerFlags;
+
+ /* These values are defined by TLS. */
+ const short SSL_VERSION_3 = 0x0300;
+ const short TLS_VERSION_1 = 0x0301;
+ const short TLS_VERSION_1_1 = 0x0302;
+ const short TLS_VERSION_1_2 = 0x0303;
+ const short TLS_VERSION_1_3 = 0x0304;
+ const short SSL_VERSION_UNKNOWN = -1;
+
+ [infallible] readonly attribute short SSLVersionUsed;
+ [infallible] readonly attribute short SSLVersionOffered;
+
+ /* These values match the NSS defined values in sslt.h */
+ const short SSL_MAC_UNKNOWN = -1;
+ const short SSL_MAC_NULL = 0;
+ const short SSL_MAC_MD5 = 1;
+ const short SSL_MAC_SHA = 2;
+ const short SSL_HMAC_MD5 = 3;
+ const short SSL_HMAC_SHA = 4;
+ const short SSL_HMAC_SHA256 = 5;
+ const short SSL_MAC_AEAD = 6;
+
+ [infallible] readonly attribute short MACAlgorithmUsed;
+
+ /**
+ * If set before the server requests a client cert (assuming it does so at
+ * all), then this cert will be presented to the server, instead of asking
+ * the user or searching the set of rememebered user cert decisions.
+ */
+ attribute nsIX509Cert clientCert;
+
+ /**
+ * bypassAuthentication is true if the server certificate checks are
+ * not be enforced. This is to enable non-secure transport over TLS.
+ */
+ [infallible] readonly attribute boolean bypassAuthentication;
+
+ /*
+ * failedVerification is true if any enforced certificate checks have failed.
+ * Connections that have not yet tried to verify, have verifications bypassed,
+ * or are using acceptable exceptions will all return false.
+ */
+ [infallible] readonly attribute boolean failedVerification;
+};
+