tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

sec-necko-components.md (3787B)

Security and Networking Components

This diagram models a high-level call flow upon performing an asyncOpen on an nsHttpChannel down into the NSS layer for a typical resource load.

Necko

  1. Code at client side

is passed to the channel (nsHttpChannel) on the parent process.

  1. Code at client side
  2. Code at client side
  3. Code at client side

NSS

Necko interacts with NSS through two distinct interfaces. Primarily, most access flows via PSM which handles the configuration of TLS sockets, client certificate selection and server certificate verification. However, Neqo (Mozilla's QUIC library) also relies directly on the TLS implementation inside NSS and uses it as an interface directly.

NSS's internal structure is fairly convoluted, but there are five main areas relevant for Necko. Starting from the lowest level:

  1. Code at client side
  2. Code at client side
  3. Code at client side
  4. Code at client side
  5. Code at client side
classDiagram

class LoadInfo{
    +Principal(s) (loading, triggering, toInherit)
    +Context
}

nsHttpChannel --> nsHttpTransaction
nsHttpTransaction --> nsHttpConnectionMgr
nsHttpConnectionMgr --> ConnectionEntry : Via ConnectionInfo hash
ConnectionEntry --> HttpConnectionBase

HttpConnectionBase <-- nsHttpConnection : Is A
HttpConnectionBase <-- HttpConnectionUDP : Is A

nsHttpConnection --> nsSocketTransport2
nsSocketTransport2 --> PSM
PSM --> NSPR
PSM --> `Off Main Thread CertVerifier`
Neqo --> `Off Main Thread CertVerifier`

%% for Http/3
HttpConnectionUDP --> Http3Session : Http/3
HttpConnectionUDP --> nsUDPSocket : Http/3
nsUDPSocket --> NSPR : Http/3
Http3Session --> Neqo : Http/3

%% security TCP stack
PSM --> TLS
`Off Main Thread CertVerifier` --> Pcks11
TLS --> Pcks11
Pcks11 --> Blapi
Blapi --> `Crypto Primitives`
`Crypto Primitives` --> `Platform-Specific Crypto Implementations`

%% transport security info
PSM -- Transport Security Info
Transport Security Info --> nsHttpChannel

%% security UDP stack
Neqo --> TLS
`Off Main Thread CertVerifier`--> CertDB
CertDB --> Builtins


%% classes

nsHttpChannel o-- LoadInfo
nsHttpChannel o-- StreamListener
nsHttpConnectionMgr o-- ConnectionEntry : Many