Bug 936808 - Serialize calls to PK11 routines in SSLServerCertVerification. r=briansmith

security/manager/ssl/src/SSLServerCertVerification.cpp

@@ -144,6 +144,9 @@ nsIThreadPool * gCertVerificationThreadPool = nullptr;
 // the code, since performance in the error case is not important.
 Mutex *gSSLVerificationTelemetryMutex = nullptr;
 
+// We add a mutex to serialize PKCS11 database operations
+Mutex *gSSLVerificationPK11Mutex = nullptr;
+
 } // unnamed namespace
 
 // Called when the socket transport thread starts, to initialize the SSL cert
@@ -160,6 +163,7 @@ void
 InitializeSSLServerCertVerificationThreads()
 {
   gSSLVerificationTelemetryMutex = new Mutex("SSLVerificationTelemetryMutex");
+  gSSLVerificationPK11Mutex = new Mutex("SSLVerificationPK11Mutex");
   // TODO: tuning, make parameters preferences
   // XXX: instantiate nsThreadPool directly, to make this more bulletproof.
   // Currently, the nsThreadPool.h header isn't exported for us to do so.
@@ -196,6 +200,10 @@ void StopSSLServerCertVerificationThreads()
     delete gSSLVerificationTelemetryMutex;
     gSSLVerificationTelemetryMutex = nullptr;
   }
+  if (gSSLVerificationPK11Mutex) {
+    delete gSSLVerificationPK11Mutex;
+    gSSLVerificationPK11Mutex = nullptr;
+  }
 }
 
 namespace {
@@ -979,6 +987,10 @@ AuthCertificate(TransportSecurityInfo * infoObject, CERTCertificate * cert,
         // We have found a signer cert that we want to remember.
         char* nickname = nsNSSCertificate::defaultServerNickname(node->cert);
         if (nickname && *nickname) {
+          // There is a suspicion that there is some thread safety issues
+          // in PK11_importCert and the mutex is a way to serialize until
+          // this issue has been cleared.
+          MutexAutoLock PK11Mutex(*gSSLVerificationPK11Mutex);
           ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
           if (slot) {
             PK11_ImportCert(slot, node->cert, CK_INVALID_HANDLE,