OLD | NEW |
1 /* | 1 /* |
2 * This file contains prototypes for the public SSL functions. | 2 * This file contains prototypes for the public SSL functions. |
3 * | 3 * |
4 * This Source Code Form is subject to the terms of the Mozilla Public | 4 * This Source Code Form is subject to the terms of the Mozilla Public |
5 * License, v. 2.0. If a copy of the MPL was not distributed with this | 5 * License, v. 2.0. If a copy of the MPL was not distributed with this |
6 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | 6 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
7 | 7 |
8 #ifndef __ssl_h_ | 8 #ifndef __ssl_h_ |
9 #define __ssl_h_ | 9 #define __ssl_h_ |
10 | 10 |
(...skipping 167 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
178 * will not be negotiated. ALPN is not negotiated for renegotiation handshakes, | 178 * will not be negotiated. ALPN is not negotiated for renegotiation handshakes, |
179 * even though the ALPN specification defines a way to use ALPN during | 179 * even though the ALPN specification defines a way to use ALPN during |
180 * renegotiations. SSL_ENABLE_ALPN is currently disabled by default, but this | 180 * renegotiations. SSL_ENABLE_ALPN is currently disabled by default, but this |
181 * may change in future versions. | 181 * may change in future versions. |
182 */ | 182 */ |
183 #define SSL_ENABLE_ALPN 26 | 183 #define SSL_ENABLE_ALPN 26 |
184 | 184 |
185 /* SSL_REUSE_SERVER_ECDHE_KEY controls whether the ECDHE server key is | 185 /* SSL_REUSE_SERVER_ECDHE_KEY controls whether the ECDHE server key is |
186 * reused for multiple handshakes or generated each time. | 186 * reused for multiple handshakes or generated each time. |
187 * SSL_REUSE_SERVER_ECDHE_KEY is currently enabled by default. | 187 * SSL_REUSE_SERVER_ECDHE_KEY is currently enabled by default. |
| 188 * This socket option is for ECDHE, only. It is unrelated to DHE. |
188 */ | 189 */ |
189 #define SSL_REUSE_SERVER_ECDHE_KEY 27 | 190 #define SSL_REUSE_SERVER_ECDHE_KEY 27 |
190 | 191 |
191 #define SSL_ENABLE_FALLBACK_SCSV 28 /* Send fallback SCSV in | 192 #define SSL_ENABLE_FALLBACK_SCSV 28 /* Send fallback SCSV in |
192 * handshakes. */ | 193 * handshakes. */ |
193 | 194 |
| 195 /* SSL_ENABLE_SERVER_DHE controls whether DHE is enabled for the server socket. |
| 196 */ |
| 197 #define SSL_ENABLE_SERVER_DHE 29 |
| 198 |
| 199 /* Use draft-ietf-tls-session-hash. Controls whether we offer the |
| 200 * extended_master_secret extension which, when accepted, hashes |
| 201 * the handshake transcript into the master secret. This option is |
| 202 * disabled by default. |
| 203 */ |
| 204 #define SSL_ENABLE_EXTENDED_MASTER_SECRET 30 |
| 205 |
194 /* Request Signed Certificate Timestamps via TLS extension (client) */ | 206 /* Request Signed Certificate Timestamps via TLS extension (client) */ |
195 #define SSL_ENABLE_SIGNED_CERT_TIMESTAMPS 29 | 207 #define SSL_ENABLE_SIGNED_CERT_TIMESTAMPS 31 |
196 | 208 |
197 #ifdef SSL_DEPRECATED_FUNCTION | 209 #ifdef SSL_DEPRECATED_FUNCTION |
198 /* Old deprecated function names */ | 210 /* Old deprecated function names */ |
199 SSL_IMPORT SECStatus SSL_Enable(PRFileDesc *fd, int option, PRBool on); | 211 SSL_IMPORT SECStatus SSL_Enable(PRFileDesc *fd, int option, PRBool on); |
200 SSL_IMPORT SECStatus SSL_EnableDefault(int option, PRBool on); | 212 SSL_IMPORT SECStatus SSL_EnableDefault(int option, PRBool on); |
201 #endif | 213 #endif |
202 | 214 |
203 /* New function names */ | 215 /* New function names */ |
204 SSL_IMPORT SECStatus SSL_OptionSet(PRFileDesc *fd, PRInt32 option, PRBool on); | 216 SSL_IMPORT SECStatus SSL_OptionSet(PRFileDesc *fd, PRInt32 option, PRBool on); |
205 SSL_IMPORT SECStatus SSL_OptionGet(PRFileDesc *fd, PRInt32 option, PRBool *on); | 217 SSL_IMPORT SECStatus SSL_OptionGet(PRFileDesc *fd, PRInt32 option, PRBool *on); |
(...skipping 82 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
288 #endif | 300 #endif |
289 | 301 |
290 /* New function names */ | 302 /* New function names */ |
291 SSL_IMPORT SECStatus SSL_CipherPrefSet(PRFileDesc *fd, PRInt32 cipher, PRBool en
abled); | 303 SSL_IMPORT SECStatus SSL_CipherPrefSet(PRFileDesc *fd, PRInt32 cipher, PRBool en
abled); |
292 SSL_IMPORT SECStatus SSL_CipherPrefGet(PRFileDesc *fd, PRInt32 cipher, PRBool *e
nabled); | 304 SSL_IMPORT SECStatus SSL_CipherPrefGet(PRFileDesc *fd, PRInt32 cipher, PRBool *e
nabled); |
293 SSL_IMPORT SECStatus SSL_CipherPrefSetDefault(PRInt32 cipher, PRBool enabled); | 305 SSL_IMPORT SECStatus SSL_CipherPrefSetDefault(PRInt32 cipher, PRBool enabled); |
294 SSL_IMPORT SECStatus SSL_CipherPrefGetDefault(PRInt32 cipher, PRBool *enabled); | 306 SSL_IMPORT SECStatus SSL_CipherPrefGetDefault(PRInt32 cipher, PRBool *enabled); |
295 SSL_IMPORT SECStatus SSL_CipherPolicySet(PRInt32 cipher, PRInt32 policy); | 307 SSL_IMPORT SECStatus SSL_CipherPolicySet(PRInt32 cipher, PRInt32 policy); |
296 SSL_IMPORT SECStatus SSL_CipherPolicyGet(PRInt32 cipher, PRInt32 *policy); | 308 SSL_IMPORT SECStatus SSL_CipherPolicyGet(PRInt32 cipher, PRInt32 *policy); |
297 | 309 |
| 310 /* |
| 311 ** Control for TLS signature algorithms for TLS 1.2 only. |
| 312 ** |
| 313 ** This governs what signature algorithms are sent by a client in the |
| 314 ** signature_algorithms extension. A client will not accept a signature from a |
| 315 ** server unless it uses an enabled algorithm. |
| 316 ** |
| 317 ** This also governs what the server sends in the supported_signature_algorithms |
| 318 ** field of a CertificateRequest. It also changes what the server uses to sign |
| 319 ** ServerKeyExchange: a server uses the first entry from this list that is |
| 320 ** compatible with the client's advertised signature_algorithms extension and |
| 321 ** the selected server certificate. |
| 322 ** |
| 323 ** Omitting SHA-256 from this list might be foolish. Support is mandatory in |
| 324 ** TLS 1.2 and there might be interoperability issues. For a server, NSS only |
| 325 ** supports SHA-256 for verifying a TLS 1.2 CertificateVerify. This list needs |
| 326 ** to include SHA-256 if client authentication is requested or required, or |
| 327 ** creating a CertificateRequest will fail. |
| 328 */ |
| 329 SSL_IMPORT SECStatus SSL_SignaturePrefSet( |
| 330 PRFileDesc *fd, const SSLSignatureAndHashAlg *algorithms, |
| 331 unsigned int count); |
| 332 |
| 333 /* |
| 334 ** Get the currently configured signature algorithms. |
| 335 ** |
| 336 ** The algorithms are written to |algorithms| but not if there are more than |
| 337 ** |maxCount| values configured. The number of algorithms that are in use are |
| 338 ** written to |count|. This fails if |maxCount| is insufficiently large. |
| 339 */ |
| 340 SSL_IMPORT SECStatus SSL_SignaturePrefGet( |
| 341 PRFileDesc *fd, SSLSignatureAndHashAlg *algorithms, unsigned int *count, |
| 342 unsigned int maxCount); |
| 343 |
| 344 /* |
| 345 ** Returns the maximum number of signature algorithms that are supported and |
| 346 ** can be set or retrieved using SSL_SignaturePrefSet or SSL_SignaturePrefGet. |
| 347 */ |
| 348 SSL_IMPORT unsigned int SSL_SignatureMaxCount(); |
| 349 |
| 350 /* SSL_DHEGroupPrefSet is used to configure the set of allowed/enabled DHE group |
| 351 ** parameters that can be used by NSS for the given server socket. |
| 352 ** The first item in the array is used as the default group, if no other |
| 353 ** selection criteria can be used by NSS. |
| 354 ** The set is provided as an array of identifiers as defined by SSLDHEGroupType. |
| 355 ** If more than one group identifier is provided, NSS will select the one to use
. |
| 356 ** For example, a TLS extension sent by the client might indicate a preference. |
| 357 */ |
| 358 SSL_IMPORT SECStatus SSL_DHEGroupPrefSet(PRFileDesc *fd, |
| 359 SSLDHEGroupType *groups, |
| 360 PRUint16 num_groups); |
| 361 |
| 362 /* Enable the use of a DHE group that's smaller than the library default, |
| 363 ** for backwards compatibility reasons. The DH parameters will be created |
| 364 ** at the time this function is called, which might take a very long time. |
| 365 ** The function will block until generation is completed. |
| 366 ** The intention is to enforce that fresh and safe parameters are generated |
| 367 ** each time a process is started. |
| 368 ** At the time this API was initially implemented, the API will enable the |
| 369 ** use of 1024 bit DHE parameters. This value might get increased in future |
| 370 ** versions of NSS. |
| 371 ** |
| 372 ** It is allowed to call this API will a NULL value for parameter fd, |
| 373 ** which will prepare the global parameters that NSS will reuse for the remainde
r |
| 374 ** of the process lifetime. This can be used early after startup of a process, |
| 375 ** to avoid a delay when handling incoming client connections. |
| 376 ** This preparation with a NULL for parameter fd will NOT enable the weak group |
| 377 ** on sockets. The function needs to be called again for every socket that |
| 378 ** should use the weak group. |
| 379 ** |
| 380 ** It is allowed to use this API in combination with the SSL_DHEGroupPrefSet API
. |
| 381 ** If both APIs have been called, the weakest group will be used, |
| 382 ** unless it is certain that the client supports larger group parameters. |
| 383 ** The weak group will be used as the default group, overriding the preference |
| 384 ** for the first group potentially set with a call to SSL_DHEGroupPrefSet |
| 385 ** (The first group set using SSL_DHEGroupPrefSet will still be enabled, but |
| 386 ** it's no longer the default group.) |
| 387 */ |
| 388 SSL_IMPORT SECStatus SSL_EnableWeakDHEPrimeGroup(PRFileDesc *fd, PRBool enabled)
; |
| 389 |
298 /* SSL_CipherOrderSet sets the cipher suite preference order from |ciphers|, | 390 /* SSL_CipherOrderSet sets the cipher suite preference order from |ciphers|, |
299 * which must be an array of cipher suite ids of length |len|. All the given | 391 * which must be an array of cipher suite ids of length |len|. All the given |
300 * cipher suite ids must appear in the array that is returned by | 392 * cipher suite ids must appear in the array that is returned by |
301 * |SSL_GetImplementedCiphers| and may only appear once, at most. */ | 393 * |SSL_GetImplementedCiphers| and may only appear once, at most. */ |
302 SSL_IMPORT SECStatus SSL_CipherOrderSet(PRFileDesc *fd, const PRUint16 *ciphers, | 394 SSL_IMPORT SECStatus SSL_CipherOrderSet(PRFileDesc *fd, const PRUint16 *ciphers, |
303 unsigned int len); | 395 unsigned int len); |
304 | 396 |
305 /* SSLChannelBindingType enumerates the types of supported channel binding | 397 /* SSLChannelBindingType enumerates the types of supported channel binding |
306 * values. See RFC 5929. */ | 398 * values. See RFC 5929. */ |
307 typedef enum SSLChannelBindingType { | 399 typedef enum SSLChannelBindingType { |
(...skipping 697 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1005 /* Set cipher policies to a predefined Policy that is exportable from the USA | 1097 /* Set cipher policies to a predefined Policy that is exportable from the USA |
1006 * according to present U.S. policies as we understand them, and that the | 1098 * according to present U.S. policies as we understand them, and that the |
1007 * nation of France will permit to be imported into their country. | 1099 * nation of France will permit to be imported into their country. |
1008 * It is the same as NSS_SetDomesticPolicy now. | 1100 * It is the same as NSS_SetDomesticPolicy now. |
1009 */ | 1101 */ |
1010 SSL_IMPORT SECStatus NSS_SetFrancePolicy(void); | 1102 SSL_IMPORT SECStatus NSS_SetFrancePolicy(void); |
1011 | 1103 |
1012 SSL_IMPORT SSL3Statistics * SSL_GetStatistics(void); | 1104 SSL_IMPORT SSL3Statistics * SSL_GetStatistics(void); |
1013 | 1105 |
1014 /* Report more information than SSL_SecurityStatus. | 1106 /* Report more information than SSL_SecurityStatus. |
1015 ** Caller supplies the info struct. Function fills it in. | 1107 * Caller supplies the info struct. This function fills it in. |
1016 */ | 1108 * The information here will be zeroed prior to details being confirmed. The |
| 1109 * details are confirmed either when a Finished message is received, or - for a |
| 1110 * client - when the second flight of messages have been sent. This function |
| 1111 * therefore produces unreliable results prior to receiving the |
| 1112 * SSLHandshakeCallback or the SSLCanFalseStartCallback. |
| 1113 */ |
1017 SSL_IMPORT SECStatus SSL_GetChannelInfo(PRFileDesc *fd, SSLChannelInfo *info, | 1114 SSL_IMPORT SECStatus SSL_GetChannelInfo(PRFileDesc *fd, SSLChannelInfo *info, |
1018 PRUintn len); | 1115 PRUintn len); |
| 1116 /* Get preliminary information about a channel. |
| 1117 * This function can be called prior to handshake details being confirmed (see |
| 1118 * SSL_GetChannelInfo above for what that means). Thus, information provided by |
| 1119 * this function is available to SSLAuthCertificate, SSLGetClientAuthData, |
| 1120 * SSLSNISocketConfig, and other callbacks that might be called during the |
| 1121 * processing of the first flight of client of server handshake messages. |
| 1122 * Values are marked as being unavailable when renegotiation is initiated. |
| 1123 */ |
| 1124 SSL_IMPORT SECStatus |
| 1125 SSL_GetPreliminaryChannelInfo(PRFileDesc *fd, |
| 1126 SSLPreliminaryChannelInfo *info, |
| 1127 PRUintn len); |
1019 SSL_IMPORT SECStatus SSL_GetCipherSuiteInfo(PRUint16 cipherSuite, | 1128 SSL_IMPORT SECStatus SSL_GetCipherSuiteInfo(PRUint16 cipherSuite, |
1020 SSLCipherSuiteInfo *info, PRUintn len); | 1129 SSLCipherSuiteInfo *info, PRUintn len); |
1021 | 1130 |
1022 /* Returnes negotiated through SNI host info. */ | 1131 /* Returnes negotiated through SNI host info. */ |
1023 SSL_IMPORT SECItem *SSL_GetNegotiatedHostInfo(PRFileDesc *fd); | 1132 SSL_IMPORT SECItem *SSL_GetNegotiatedHostInfo(PRFileDesc *fd); |
1024 | 1133 |
1025 /* Export keying material according to RFC 5705. | 1134 /* Export keying material according to RFC 5705. |
1026 ** fd must correspond to a TLS 1.0 or higher socket and out must | 1135 ** fd must correspond to a TLS 1.0 or higher socket and out must |
1027 ** already be allocated. If hasContext is false, it uses the no-context | 1136 ** already be allocated. If hasContext is false, it uses the no-context |
1028 ** construction from the RFC and ignores the context and contextLen | 1137 ** construction from the RFC and ignores the context and contextLen |
(...skipping 167 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1196 * should continue using the connection. If the application passes a non-zero | 1305 * should continue using the connection. If the application passes a non-zero |
1197 * value for second argument (error), or if SSL_AuthCertificateComplete returns | 1306 * value for second argument (error), or if SSL_AuthCertificateComplete returns |
1198 * anything other than SECSuccess, then the application should close the | 1307 * anything other than SECSuccess, then the application should close the |
1199 * connection. | 1308 * connection. |
1200 */ | 1309 */ |
1201 SSL_IMPORT SECStatus SSL_AuthCertificateComplete(PRFileDesc *fd, | 1310 SSL_IMPORT SECStatus SSL_AuthCertificateComplete(PRFileDesc *fd, |
1202 PRErrorCode error); | 1311 PRErrorCode error); |
1203 SEC_END_PROTOS | 1312 SEC_END_PROTOS |
1204 | 1313 |
1205 #endif /* __ssl_h_ */ | 1314 #endif /* __ssl_h_ */ |
OLD | NEW |