DXR is a code search and navigation tool aimed at making sense of large projects. It supports full-text and regex searches as well as structural queries.

Mercurial (b6d82b1a6b02)

VCS Links

Line Code
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183
/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#include "nsIServerSocket.idl"

interface nsIX509Cert;
interface nsITLSServerSecurityObserver;
interface nsISocketTransport;

[scriptable, uuid(cc2c30f9-cfaa-4b8a-bd44-c24881981b74)]
interface nsITLSServerSocket : nsIServerSocket
{
  /**
   * serverCert
   *
   * The server's certificate that is presented to the client during the TLS
   * handshake.  This is required to be set before calling |asyncListen|.
   */
  attribute nsIX509Cert serverCert;

  /**
   * setSessionTickets
   *
   * Whether the server should support session tickets.  Defaults to true.  This
   * should be set before calling |asyncListen| if you wish to change the
   * default.
   */
  void setSessionTickets(in boolean aSessionTickets);

  /**
   * Values for setRequestClientCertificate
   */
  // Never request
  const unsigned long REQUEST_NEVER           = 0;
  // Request (but do not require) during the first handshake only
  const unsigned long REQUEST_FIRST_HANDSHAKE = 1;
  // Request (but do not require) during each handshake
  const unsigned long REQUEST_ALWAYS          = 2;
  // Require during the first handshake only
  const unsigned long REQUIRE_FIRST_HANDSHAKE = 3;
  // Require during each handshake
  const unsigned long REQUIRE_ALWAYS          = 4;

  /**
   * setRequestClientCertificate
   *
   * Whether the server should request and/or require a client auth certificate
   * from the client.  Defaults to REQUEST_NEVER.  See the possible options
   * above.  This should be set before calling |asyncListen| if you wish to
   * change the default.
   */
  void setRequestClientCertificate(in unsigned long aRequestClientCert);

  /**
   * setVersionRange
   *
   * The server's TLS versions that is used by the TLS handshake.
   * This is required to be set before calling |asyncListen|.
   *
   * aMinVersion and aMaxVersion is a TLS version value from
   * |nsITLSClientStatus| constants.
   */
  void setVersionRange(in unsigned short aMinVersion,
                       in unsigned short aMaxVersion);
};

/**
 * Security summary for a given TLS client connection being handled by a
 * |nsITLSServerSocket| server.
 *
 * This is accessible through the security info object on the transport, which
 * will be an instance of |nsITLSServerConnectionInfo| (see below).
 *
 * The values of these attributes are available once the |onHandshakeDone|
 * method of the security observer has been called (see
 * |nsITLSServerSecurityObserver| below).
 */
[scriptable, uuid(19668ea4-e5ad-4182-9698-7e890d48f327)]
interface nsITLSClientStatus : nsISupports
{
  /**
   * peerCert
   *
   * The client's certificate, if one was requested via |requestCertificate|
   * above and supplied by the client.
   */
  readonly attribute nsIX509Cert peerCert;

  /**
   * Values for tlsVersionUsed, as defined by TLS
   */
  const short SSL_VERSION_3   = 0x0300;
  const short TLS_VERSION_1   = 0x0301;
  const short TLS_VERSION_1_1 = 0x0302;
  const short TLS_VERSION_1_2 = 0x0303;
  const short TLS_VERSION_1_3 = 0x0304;
  const short TLS_VERSION_UNKNOWN = -1;

  /**
   * tlsVersionUsed
   *
   * The version of TLS used by the connection.  See values above.
   */
  readonly attribute short tlsVersionUsed;

  /**
   * cipherName
   *
   * Name of the cipher suite used, such as
   * "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256".
   * See security/nss/lib/ssl/sslinfo.c for the possible values.
   */
  readonly attribute ACString cipherName;

  /**
   * keyLength
   *
   * The "effective" key size of the symmetric key in bits.
   */
  readonly attribute unsigned long keyLength;

  /**
   * macLength
   *
   * The size of the MAC in bits.
   */
  readonly attribute unsigned long macLength;
};

/**
 * Connection info for a given TLS client connection being handled by a
 * |nsITLSServerSocket| server.  This object is thread-safe.
 *
 * This is exposed as the security info object on the transport, so it can be
 * accessed via |transport.securityInfo|.
 *
 * This interface is available by the time the |onSocketAttached| is called,
 * which is the first time the TLS server consumer is notified of a new client.
 */
[scriptable, uuid(8a93f5d5-eddd-4c62-a4bd-bfd297653184)]
interface nsITLSServerConnectionInfo : nsISupports
{
  /**
   * setSecurityObserver
   *
   * Set the security observer to be notified when the TLS handshake has
   * completed.
   */
  void setSecurityObserver(in nsITLSServerSecurityObserver observer);

  /**
   * serverSocket
   *
   * The nsITLSServerSocket instance that accepted this client connection.
   */
  readonly attribute nsITLSServerSocket serverSocket;

  /**
   * status
   *
   * Security summary for this TLS client connection.  Note that the values of
   * this interface are not available until the TLS handshake has completed.
   * See |nsITLSClientStatus| above for more details.
   */
  readonly attribute nsITLSClientStatus status;
};

[scriptable, uuid(1f62e1ae-e546-4a38-8917-d428472ed736)]
interface nsITLSServerSecurityObserver : nsISupports
{
  /**
   * onHandsakeDone
   *
   * This method is called once the TLS handshake is completed.  This takes
   * place after |onSocketAccepted| has been called, which typically opens the
   * streams to keep things moving along. It's important to be aware that the
   * handshake has not completed at the point that |onSocketAccepted| is called,
   * so no security verification can be done until this method is called.
   */
  void onHandshakeDone(in nsITLSServerSocket aServer,
                       in nsITLSClientStatus aStatus);
};