Security and Networking Components¶
This diagram models a high-level call flow upon performing an asyncOpen on an nsHttpChannel down into the NSS layer for a typical resource load.
Necko¶
The LoadInfo, which contains security related info, is passed to the channel (nsHttpChannel) on the parent process.
The channel creates a transaction and the nsHttpConnectionMgr on the socket thread is signalled to handle the transaction.
The transaction is then picked up on the socket thread and “dispatched” to a new or existing ConnectionEntry that is hashed by it’s ConnectionInfo.
The underlying connection, nsHttpConnection for Http/1.1 and Http/2 and HttpConnectionUDP for Http/3, will call into NSS for security functionality.
NSS¶
Necko interacts with NSS through two distinct interfaces. Primarily, most access flows via PSM which handles the configuration of TLS sockets, client certificate selection and server certificate verification. However, Neqo (Mozilla’s QUIC library) also relies directly on the TLS implementation inside NSS and uses it as an interface directly.
NSS’s internal structure is fairly convoluted, but there are five main areas relevant for Necko. Starting from the lowest level:
blapi.h - exposes the wrappers for each cryptographic primitive supported by NSS and dispatches them to platform specific implementations.
pkcs11c.c - This wraps those underlying crypto primitives to provide a PKCS11 interface as a single module.
pk11pub.h - This wraps any module providing a PKCS11 interface and exposes high level cryptographic operations. It is widely used across Firefox.
ssl.h and sslexp.h expose our TLS interface for use in Necko’s TLS and Neqo’s QUIC connections.
cert.h exposes the certificate database functionality. pkix.h exposes the MozPkix certificate chain validation functions.