commit 17f3f42d8253e4527eb796bd2c25e1818678d724
parent c63169e41447ec00756df9dddd048b8c70e1b29d
Author: Dana Keeler <dkeeler@mozilla.com>
Date: Fri, 9 Jan 2026 23:04:33 +0000
Bug 2009349 - stop setting NSSSocketControl as a PKCS11 pin callback argument r=jschanck
Prior to bug 1791633, the NSS socket control object (then called
nsNSSSocketInfo) was an nsIInterfaceRequestor. nsSSLIOLayerImportFD would set
it as the PKCS11 pin callback argument for the socket with SSL_SetPKCS11PinArg.
This enabled PK11PasswordPromptRunnable::RunOnTargetThread() to get an
nsIPrompt specific to that object, assuming it implemented that interface. In
theory this would enable tying the pin prompt to the window corresponding to
the resource that caused the prompt, but this was never implemented. In any
case, this setup has a few issues, chief among which is that the pin prompt
callback is synchonous; it blocks the socket thread, meaning that no other
networking can progress while the user responds to it. A better setup would be
to make the callback asynchronous, but this would involve significant
architectural changes to NSS. Another better setup would be to return some sort
of "prompt for password and retry" error code from the callback, whereupon the
NSS operation in question would fail. Gecko would see the retry error, prompt
for a password, and retry the operation. This would also involve significant
work.
All that said, after bug 1791633, NSSSocketControl no longer implemented
nsIInterfaceRequestor, which broke PK11PasswordPromptRunnable (when used for
socket PKCS11 pin callbacks). This patch fixes it by no longer calling
SSL_SetPKCS11PinArg. PK11PasswordPromptRunnable falls back to creating a fresh
nsIPrompt object (which is what the old implementation did anyway).
No one noticed this breakage for 3 years because it requires enabling FIPS.
Differential Revision: https://phabricator.services.mozilla.com/D278532
Diffstat:
1 file changed, 0 insertions(+), 3 deletions(-)
diff --git a/security/manager/ssl/nsNSSIOLayer.cpp b/security/manager/ssl/nsNSSIOLayer.cpp
@@ -1258,9 +1258,6 @@ static PRFileDesc* nsSSLIOLayerImportFD(PRFileDesc* fd,
if (!sslSock) {
return nullptr;
}
- if (SSL_SetPKCS11PinArg(sslSock, infoObject) != SECSuccess) {
- return nullptr;
- }
if (SSL_HandshakeCallback(sslSock, HandshakeCallback, infoObject) !=
SECSuccess) {
return nullptr;
