diff --git a/.firefox.metadata b/.firefox.metadata index 922ec3c..a25c671 100644 --- a/.firefox.metadata +++ b/.firefox.metadata @@ -1,6 +1,6 @@ bc4adac8f38f5103d8f88564a1545063dd8d6402 SOURCES/cbindgen-vendor.tar.xz -c25da23b50ddf8926a943f86f1180b6d96c0eff0 SOURCES/firefox-140.4.0esr.processed-source.tar.xz -22a42066c01a85b1264223041ed270b9e294d7e0 SOURCES/firefox-langpacks-140.4.0esr-20251010.tar.xz +7744803db3f3ac6c101e3ebc1c9fdbcf6788f11e SOURCES/firefox-140.5.0esr.processed-source.tar.xz +f96430e7442d0b125d77598bcbac586340f63a77 SOURCES/firefox-langpacks-140.5.0esr-20251107.tar.xz 2d8a6b2b30d5496735f49ffe8c8a7ede3a78a5ca SOURCES/mochitest-python.tar.gz 0d0ddbd2a73340b3cbc977997f57222946b1e775 SOURCES/nspr-4.36.0-2.el8_2.src.rpm fd3879b176634d66f8ef64d18fdaeec98e140c23 SOURCES/nss-3.112.0-1.el9_4.src.rpm diff --git a/.gitignore b/.gitignore index 521e9e5..6d42a13 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,6 @@ SOURCES/cbindgen-vendor.tar.xz -SOURCES/firefox-140.4.0esr.processed-source.tar.xz -SOURCES/firefox-langpacks-140.4.0esr-20251010.tar.xz +SOURCES/firefox-140.5.0esr.processed-source.tar.xz +SOURCES/firefox-langpacks-140.5.0esr-20251107.tar.xz SOURCES/mochitest-python.tar.gz SOURCES/nspr-4.36.0-2.el8_2.src.rpm SOURCES/nss-3.112.0-1.el9_4.src.rpm diff --git a/SOURCES/firefox-adapt-ml-dsa-support-to-rhel-nss.patch b/SOURCES/firefox-adapt-ml-dsa-support-to-rhel-nss.patch index 4349476..fc1a42f 100644 --- a/SOURCES/firefox-adapt-ml-dsa-support-to-rhel-nss.patch +++ b/SOURCES/firefox-adapt-ml-dsa-support-to-rhel-nss.patch @@ -1,8 +1,37 @@ diff --git a/security/nss/lib/mozpkix/lib/pkixnss.cpp b/security/nss/lib/mozpkix/lib/pkixnss.cpp -index 31aa1ddd67..6eb367eae4 100644 +index 31aa1ddd67..93ab402bfd 100644 --- a/security/nss/lib/mozpkix/lib/pkixnss.cpp +++ b/security/nss/lib/mozpkix/lib/pkixnss.cpp -@@ -323,13 +323,21 @@ VerifyMLDSASignedDataNSS(Input data, +@@ -303,6 +303,28 @@ DigestBufNSS(Input item, + return Success; + } + ++static SECOidTag ++findOIDByName(const char *cipherString) ++{ ++ SECOidTag tag; ++ SECOidData *oid; ++ ++ for (int i = 1; ; i++) { ++ SECOidTag tag = static_cast(i); ++ oid = SECOID_FindOIDByTag(tag); ++ ++ if (oid == NULL) { ++ break; ++ } ++ ++ if (strcasecmp(oid->desc, cipherString) == 0) { ++ return tag; ++ } ++ } ++ ++ return SEC_OID_UNKNOWN; ++} ++ + Result + VerifyMLDSASignedDataNSS(Input data, + Input signature, +@@ -323,17 +345,14 @@ VerifyMLDSASignedDataNSS(Input data, SECItem dataItem(UnsafeMapInputToSECItem(data)); CK_MECHANISM_TYPE mechanism; @@ -10,22 +39,21 @@ index 31aa1ddd67..6eb367eae4 100644 - case SEC_OID_ML_DSA_44: - case SEC_OID_ML_DSA_65: - case SEC_OID_ML_DSA_87: -+ switch (SEC_GetSignatureAlgorithmOidTag(pubk->keyType, pubk->u.mldsa.params)) { -+ case CKP_ML_DSA_44: -+ hashPolicyTag = SEC_OID_UNKNOWN; -+ mechanism = CKM_ML_DSA; -+ signaturePolicyTag = SEC_OID_PRIVATE_3; -+ break; -+ case CKP_ML_DSA_65: -+ hashPolicyTag = SEC_OID_UNKNOWN; - mechanism = CKM_ML_DSA; +- mechanism = CKM_ML_DSA; - signaturePolicyTag = pubk->u.mldsa.paramSet; -+ signaturePolicyTag = SEC_OID_PRIVATE_4; -+ break; -+ case CKP_ML_DSA_87: - hashPolicyTag = SEC_OID_UNKNOWN; -+ mechanism = CKM_ML_DSA; -+ signaturePolicyTag = SEC_OID_PRIVATE_5; - break; - default: - return Result::ERROR_UNSUPPORTED_KEYALG; +- hashPolicyTag = SEC_OID_UNKNOWN; +- break; +- default: +- return Result::ERROR_UNSUPPORTED_KEYALG; +- break; ++ if (pubk->u.mldsa.params == findOIDByName("ML-DSA-44") || ++ pubk->u.mldsa.params == findOIDByName("ML-DSA-65") || ++ pubk->u.mldsa.params == findOIDByName("ML-DSA-87")) { ++ hashPolicyTag = SEC_OID_UNKNOWN; ++ mechanism = CKM_ML_DSA; ++ signaturePolicyTag = pubk->u.mldsa.params; ++ } else { ++ return Result::ERROR_UNSUPPORTED_KEYALG; + } + + SECOidTag policyTags[2] = {signaturePolicyTag, hashPolicyTag}; diff --git a/SOURCES/firefox-add-mlkem768-secp256r1-support.patch b/SOURCES/firefox-add-mlkem768-secp256r1-support.patch new file mode 100644 index 0000000..4c6cf9b --- /dev/null +++ b/SOURCES/firefox-add-mlkem768-secp256r1-support.patch @@ -0,0 +1,139 @@ +diff --git a/dom/media/webrtc/transport/transportlayerdtls.cpp b/dom/media/webrtc/transport/transportlayerdtls.cpp +index f242eeacf4..119a94ebae 100644 +--- a/dom/media/webrtc/transport/transportlayerdtls.cpp ++++ b/dom/media/webrtc/transport/transportlayerdtls.cpp +@@ -603,7 +603,7 @@ bool TransportLayerDtls::Setup() { + + // Mlkem must stay the last in the list because if we don't support it + // the amount of supported_groups will be sent without it. +- ssl_grp_kem_mlkem768x25519}; ++ ssl_grp_kem_mlkem768x25519, ssl_grp_kem_secp256r1mlkem768}; + + size_t numGroups = std::size(namedGroups); + if (!(StaticPrefs::security_tls_enable_kyber() && +diff --git a/netwerk/socket/neqo_glue/src/lib.rs b/netwerk/socket/neqo_glue/src/lib.rs +index 21e82b920d..7392ac377c 100644 +--- a/netwerk/socket/neqo_glue/src/lib.rs ++++ b/netwerk/socket/neqo_glue/src/lib.rs +@@ -330,6 +330,7 @@ impl NeqoHttp3Conn { + // These operations are infallible when conn.state == State::Init. + conn.set_groups(&[ + neqo_crypto::TLS_GRP_KEM_MLKEM768X25519, ++ neqo_crypto::TLS_GRP_KEM_MLKEM768SECP256R1, + neqo_crypto::TLS_GRP_EC_X25519, + neqo_crypto::TLS_GRP_EC_SECP256R1, + neqo_crypto::TLS_GRP_EC_SECP384R1, +@@ -338,7 +339,7 @@ impl NeqoHttp3Conn { + .map_err(|_| NS_ERROR_UNEXPECTED)?; + additional_shares += 1; + } +- // If additional_shares == 2, send mlkem768x25519, x25519, and p256. ++ // If additional_shares == 2, send mlkem768x25519, mlkem768secp256r1, x25519, and p256. + // If additional_shares == 1, send {mlkem768x25519, x25519} or {x25519, p256}. + // If additional_shares == 0, send x25519. + conn.send_additional_key_shares(additional_shares) +diff --git a/security/manager/ssl/nsNSSCallbacks.cpp b/security/manager/ssl/nsNSSCallbacks.cpp +index 0a7b84d787..9a36375e63 100644 +--- a/security/manager/ssl/nsNSSCallbacks.cpp ++++ b/security/manager/ssl/nsNSSCallbacks.cpp +@@ -658,6 +658,9 @@ nsCString getKeaGroupName(uint32_t aKeaGroup) { + case ssl_grp_kem_mlkem768x25519: + groupName = "mlkem768x25519"_ns; + break; ++ case ssl_grp_kem_secp256r1mlkem768: ++ groupName = "secp256r1mlkem768"_ns; ++ break; + case ssl_grp_ffdhe_2048: + groupName = "FF 2048"_ns; + break; +diff --git a/security/manager/ssl/nsNSSIOLayer.cpp b/security/manager/ssl/nsNSSIOLayer.cpp +index 7443011b13..4872d8bf4c 100644 +--- a/security/manager/ssl/nsNSSIOLayer.cpp ++++ b/security/manager/ssl/nsNSSIOLayer.cpp +@@ -450,7 +450,7 @@ bool retryDueToTLSIntolerance(PRErrorCode err, NSSSocketControl* socketInfo) { + errorName.AppendASCII(prErrorName); + } + mozilla::glean::tls::xyber_intolerance_reason.Get(errorName).Add(1); +- // Don't record version intolerance if we sent mlkem768x25519, just force a ++ // Don't record version intolerance if we sent mlkem768x25519/secp256r1mlkem768, just force a + // retry. + return true; + } +@@ -1564,7 +1564,8 @@ static nsresult nsSSLIOLayerSetOptions(PRFileDesc* fd, bool forSTARTTLS, + !(infoObject->GetProviderFlags() & + (nsISocketProvider::BE_CONSERVATIVE | nsISocketProvider::IS_RETRY))) { + const SSLNamedGroup namedGroups[] = { +- ssl_grp_kem_mlkem768x25519, ssl_grp_ec_curve25519, ssl_grp_ec_secp256r1, ++ ssl_grp_kem_mlkem768x25519, ssl_grp_kem_secp256r1mlkem768, ++ ssl_grp_ec_curve25519, ssl_grp_ec_secp256r1, + ssl_grp_ec_secp384r1, ssl_grp_ec_secp521r1, ssl_grp_ffdhe_2048, + ssl_grp_ffdhe_3072}; + if (SECSuccess != +@@ -1577,14 +1578,14 @@ static nsresult nsSSLIOLayerSetOptions(PRFileDesc* fd, bool forSTARTTLS, + const SSLNamedGroup namedGroups[] = { + ssl_grp_ec_curve25519, ssl_grp_ec_secp256r1, ssl_grp_ec_secp384r1, + ssl_grp_ec_secp521r1, ssl_grp_ffdhe_2048, ssl_grp_ffdhe_3072}; +- // Skip the |ssl_grp_kem_mlkem768x25519| entry. ++ // Skip the |ssl_grp_kem_mlkem768x25519| and |ssl_grp_kem_secp256r1mlkem768| entries. + if (SECSuccess != + SSL_NamedGroupConfig(fd, namedGroups, std::size(namedGroups))) { + return NS_ERROR_FAILURE; + } + } + +- // If additional_shares == 2, send mlkem768x25519, x25519, and p256. ++ // If additional_shares == 2, send mlkem768x25519, secp256r1mlkem768, x25519, and p256. + // If additional_shares == 1, send {mlkem768x25519, x25519} or {x25519, p256}. + // If additional_shares == 0, send x25519. + if (SECSuccess != SSL_SendAdditionalKeyShares(fd, additional_shares)) { +diff --git a/third_party/rust/neqo-crypto/.cargo-checksum.json b/third_party/rust/neqo-crypto/.cargo-checksum.json +index 85f14fe2f4..b7af45a5de 100644 +--- a/third_party/rust/neqo-crypto/.cargo-checksum.json ++++ b/third_party/rust/neqo-crypto/.cargo-checksum.json +@@ -1 +1 @@ +-{"files":{"Cargo.toml":"a57adef48614a58209447e8bd115a2de3d8a42917a0b9a2ae9a97cabc3400c6a","bindings/bindings.toml":"e7e4b75736cfcf4d52febacb99a6f6c6c7b1d648ed8bdc424648be876c850e91","bindings/nspr_err.h":"2d5205d017b536c2d838bcf9bc4ec79f96dd50e7bb9b73892328781f1ee6629d","bindings/nspr_error.h":"e41c03c77b8c22046f8618832c9569fbcc7b26d8b9bbc35eea7168f35e346889","bindings/nspr_io.h":"085b289849ef0e77f88512a27b4d9bdc28252bd4d39c6a17303204e46ef45f72","bindings/nspr_time.h":"2e637fd338a5cf0fd3fb0070a47f474a34c2a7f4447f31b6875f5a9928d0a261","bindings/nss_ciphers.h":"95ec6344a607558b3c5ba8510f463b6295f3a2fb3f538a01410531045a5f62d1","bindings/nss_init.h":"ef49045063782fb612aff459172cc6a89340f15005808608ade5320ca9974310","bindings/nss_p11.h":"0b81e64fe6db49b2ecff94edd850be111ef99ec11220e88ceb1c67be90143a78","bindings/nss_secerr.h":"713e8368bdae5159af7893cfa517dabfe5103cede051dee9c9557c850a2defc6","bindings/nss_ssl.h":"af222fb957b989e392e762fa2125c82608a0053aff4fb97e556691646c88c335","bindings/nss_sslerr.h":"24b97f092183d8486f774cdaef5030d0249221c78343570d83a4ee5b594210ae","bindings/nss_sslopt.h":"b7807eb7abdad14db6ad7bc51048a46b065a0ea65a4508c95a12ce90e59d1eea","build.rs":"2f54f79958878ed7988441955344dd1a2a079b1bb409e8f12a70284fd7e351ef","min_version.txt":"0f9ddf9ddaeb5137a5ab3d238d06286822f9579b1f46ba76312a8c6d76176500","src/aead.rs":"08d7cad82e3bec32661cfd1689e6611b30ae328ec88481cb32201dd255777365","src/aead_null.rs":"a766e2f71fd8b77a8f81bc60aaaafcffb6aef1f0a1f39ea07fef45b3696718ce","src/agent.rs":"ec90d7556231c57da3a191f508eaf1f820f22d6b7912ee45d1a594eb0fea7a82","src/agentio.rs":"1baecfb725b54717a6a74bb4664692d187f62747cc5e0495f59b06729f96dea2","src/auth.rs":"7a1524bef0a0c71616f5ee8b3976d66201210b809271bcf5d06c0e560ae482af","src/cert.rs":"4fdaa3834d8a72f41198449010fd5c3f6be6a54e429427c37bde5aab9421585c","src/constants.rs":"50c1b84e06cd9a71bb9199f2518947a4d4ad3e5c33c1b86c585486dc43e872a0","src/ech.rs":"19d16af5a30e2060a8942a72487bd820c0d9c62ff1d3c490871752c56781c44b","src/err.rs":"4c7d0b46955b58aa9375210c2c5d24012056c3ad8a856b72d2c7c9542cc97046","src/exp.rs":"cd864fb5a61cd1472baa5b1d0951fc712753c22d21af83ebed09a01585f33b48","src/ext.rs":"a5676f8b9815cc7f6ed1da6fea091cf8754d8b80e90d37b726e905abe18930f8","src/hkdf.rs":"76c5abc8b2d6ee12d8a86cd730af2cf47a59b2fbfd3b8a635a1826636156794d","src/hp.rs":"6adf4ad78b5a065ab7310c69ad239eec156256043e2c185bf60b9d1f12ab1be4","src/lib.rs":"3ab979c264a909e663c5ef140cd57013180745b99937671c73a9003ca6347f41","src/min_version.rs":"c6e1f98b9f56db0622ac38c1be131c55acf4a0f09ed0d6283f4d6308e2d1301a","src/p11.rs":"49bcde067e55228dab483bd11b70dc29d40dc3c59fa60136daccb205dc468df0","src/prio.rs":"1858088afd2668e8fbff56959765b7d4df09342371b9282ade27bb4d7bd6ce69","src/replay.rs":"594ce92f368cbc5fb71ebfb62214f07d1e86df8e5ce94255d5593ffabb91cd03","src/result.rs":"5a76688787741de7a935dbbab4bcb917d481d1c9c50a34df7e510036feb3da17","src/secrets.rs":"5d85b1e15f47cd267fe70fa8ea7e4ebc4b07eab7713f451afeefcf15f146f8a5","src/selfencrypt.rs":"4f106465f582c38d3bb04cb5cbcbf65a349e3186784726d9f2bf511a4a4a35ee","src/ssl.rs":"04950bb534b5304eb417909a3a39ebaa9be234c7c13eacdc41c00a8edab1b09f","src/time.rs":"22989caf3dab85cfe955cc279fcca98a6df02d14fcd0e93cac7b39374b8b5763","tests/aead.rs":"e36ae77802df1ea6d17cfd1bd2178a3706089577d6fd1554ca86e748b8b235b9","tests/agent.rs":"fb95a2d5c86ce3fafcb127cd0a2a163e5ee70baf09b2c8483e4d1fb25644cee2","tests/ext.rs":"57af4e2df211fa8afdb73125d4344ef5c70c1ea4579107c3e6f5746308ee3e7b","tests/handshake.rs":"df8a901048268a390785e05e28cbc97b82e41e47d7eab2d5c0a57e434ca1adcf","tests/hkdf.rs":"1d2098dc8398395864baf13e4886cfd1da6d36118727c3b264f457ee3da6b048","tests/hp.rs":"7ee5d7290a3f61af67ad2c94670cba376027136370d9784948db655b7e00fe54","tests/init.rs":"3cfe8411ca31ad7dfb23822bb1570e1a5b2b334857173bdd7df086b65b81d95a","tests/selfencrypt.rs":"b65aed70e83dce660017159fc8a956d3b52e0807b590ad8d0a3a4265caa8c1fa"},"package":null} +\ No newline at end of file ++{"files":{"Cargo.toml":"a57adef48614a58209447e8bd115a2de3d8a42917a0b9a2ae9a97cabc3400c6a","bindings/bindings.toml":"e7e4b75736cfcf4d52febacb99a6f6c6c7b1d648ed8bdc424648be876c850e91","bindings/nspr_err.h":"2d5205d017b536c2d838bcf9bc4ec79f96dd50e7bb9b73892328781f1ee6629d","bindings/nspr_error.h":"e41c03c77b8c22046f8618832c9569fbcc7b26d8b9bbc35eea7168f35e346889","bindings/nspr_io.h":"085b289849ef0e77f88512a27b4d9bdc28252bd4d39c6a17303204e46ef45f72","bindings/nspr_time.h":"2e637fd338a5cf0fd3fb0070a47f474a34c2a7f4447f31b6875f5a9928d0a261","bindings/nss_ciphers.h":"95ec6344a607558b3c5ba8510f463b6295f3a2fb3f538a01410531045a5f62d1","bindings/nss_init.h":"ef49045063782fb612aff459172cc6a89340f15005808608ade5320ca9974310","bindings/nss_p11.h":"0b81e64fe6db49b2ecff94edd850be111ef99ec11220e88ceb1c67be90143a78","bindings/nss_secerr.h":"713e8368bdae5159af7893cfa517dabfe5103cede051dee9c9557c850a2defc6","bindings/nss_ssl.h":"af222fb957b989e392e762fa2125c82608a0053aff4fb97e556691646c88c335","bindings/nss_sslerr.h":"24b97f092183d8486f774cdaef5030d0249221c78343570d83a4ee5b594210ae","bindings/nss_sslopt.h":"b7807eb7abdad14db6ad7bc51048a46b065a0ea65a4508c95a12ce90e59d1eea","build.rs":"2f54f79958878ed7988441955344dd1a2a079b1bb409e8f12a70284fd7e351ef","min_version.txt":"0f9ddf9ddaeb5137a5ab3d238d06286822f9579b1f46ba76312a8c6d76176500","src/aead.rs":"08d7cad82e3bec32661cfd1689e6611b30ae328ec88481cb32201dd255777365","src/aead_null.rs":"a766e2f71fd8b77a8f81bc60aaaafcffb6aef1f0a1f39ea07fef45b3696718ce","src/agent.rs":"ec90d7556231c57da3a191f508eaf1f820f22d6b7912ee45d1a594eb0fea7a82","src/agentio.rs":"1baecfb725b54717a6a74bb4664692d187f62747cc5e0495f59b06729f96dea2","src/auth.rs":"7a1524bef0a0c71616f5ee8b3976d66201210b809271bcf5d06c0e560ae482af","src/cert.rs":"4fdaa3834d8a72f41198449010fd5c3f6be6a54e429427c37bde5aab9421585c","src/constants.rs":"fb3b6353c0ed4683a1489e7c730b480e8c1895800bd024376165f722d8211d47","src/ech.rs":"19d16af5a30e2060a8942a72487bd820c0d9c62ff1d3c490871752c56781c44b","src/err.rs":"4c7d0b46955b58aa9375210c2c5d24012056c3ad8a856b72d2c7c9542cc97046","src/exp.rs":"cd864fb5a61cd1472baa5b1d0951fc712753c22d21af83ebed09a01585f33b48","src/ext.rs":"a5676f8b9815cc7f6ed1da6fea091cf8754d8b80e90d37b726e905abe18930f8","src/hkdf.rs":"76c5abc8b2d6ee12d8a86cd730af2cf47a59b2fbfd3b8a635a1826636156794d","src/hp.rs":"6adf4ad78b5a065ab7310c69ad239eec156256043e2c185bf60b9d1f12ab1be4","src/lib.rs":"3ab979c264a909e663c5ef140cd57013180745b99937671c73a9003ca6347f41","src/min_version.rs":"c6e1f98b9f56db0622ac38c1be131c55acf4a0f09ed0d6283f4d6308e2d1301a","src/p11.rs":"49bcde067e55228dab483bd11b70dc29d40dc3c59fa60136daccb205dc468df0","src/prio.rs":"1858088afd2668e8fbff56959765b7d4df09342371b9282ade27bb4d7bd6ce69","src/replay.rs":"594ce92f368cbc5fb71ebfb62214f07d1e86df8e5ce94255d5593ffabb91cd03","src/result.rs":"5a76688787741de7a935dbbab4bcb917d481d1c9c50a34df7e510036feb3da17","src/secrets.rs":"5d85b1e15f47cd267fe70fa8ea7e4ebc4b07eab7713f451afeefcf15f146f8a5","src/selfencrypt.rs":"4f106465f582c38d3bb04cb5cbcbf65a349e3186784726d9f2bf511a4a4a35ee","src/ssl.rs":"04950bb534b5304eb417909a3a39ebaa9be234c7c13eacdc41c00a8edab1b09f","src/time.rs":"22989caf3dab85cfe955cc279fcca98a6df02d14fcd0e93cac7b39374b8b5763","tests/aead.rs":"e36ae77802df1ea6d17cfd1bd2178a3706089577d6fd1554ca86e748b8b235b9","tests/agent.rs":"fb95a2d5c86ce3fafcb127cd0a2a163e5ee70baf09b2c8483e4d1fb25644cee2","tests/ext.rs":"57af4e2df211fa8afdb73125d4344ef5c70c1ea4579107c3e6f5746308ee3e7b","tests/handshake.rs":"df8a901048268a390785e05e28cbc97b82e41e47d7eab2d5c0a57e434ca1adcf","tests/hkdf.rs":"1d2098dc8398395864baf13e4886cfd1da6d36118727c3b264f457ee3da6b048","tests/hp.rs":"7ee5d7290a3f61af67ad2c94670cba376027136370d9784948db655b7e00fe54","tests/init.rs":"3cfe8411ca31ad7dfb23822bb1570e1a5b2b334857173bdd7df086b65b81d95a","tests/selfencrypt.rs":"b65aed70e83dce660017159fc8a956d3b52e0807b590ad8d0a3a4265caa8c1fa"},"package":null} +\ No newline at end of file +diff --git a/third_party/rust/neqo-crypto/src/constants.rs b/third_party/rust/neqo-crypto/src/constants.rs +index c3cb109c6f..e0bdc5c3f4 100644 +--- a/third_party/rust/neqo-crypto/src/constants.rs ++++ b/third_party/rust/neqo-crypto/src/constants.rs +@@ -84,6 +84,7 @@ remap_enum! { + TLS_GRP_EC_X25519 = ssl_grp_ec_curve25519, + TLS_GRP_KEM_XYBER768D00 = ssl_grp_kem_xyber768d00, + TLS_GRP_KEM_MLKEM768X25519 = ssl_grp_kem_x25519mlkem768, ++ TLS_GRP_KEM_MLKEM768SECP256R1 = ssl_grp_kem_secp256r1mlkem768, + } + } + +diff --git a/third_party/rust/neqo-transport/.cargo-checksum.json b/third_party/rust/neqo-transport/.cargo-checksum.json +index 2ab6177fb5..17c7e641ee 100644 +--- a/third_party/rust/neqo-transport/.cargo-checksum.json ++++ b/third_party/rust/neqo-transport/.cargo-checksum.json +@@ -1 +1 @@ +-{"files":{"Cargo.toml":"b112e3e53a47e19caa358f4f77cbe1fea81dbceffbe03dd97823295726819a84","benches/min_bandwidth.rs":"11eeb817276c10522159662d1112acae00facbf6a0c8da1d94d0a50583fdf38c","benches/range_tracker.rs":"754871ef02608efab05f00c7dc6ad8ac559d0c2feb2072ea0f036c26b6285a8d","benches/rx_stream_orderer.rs":"2e15891b1db102ed7abdd07d1524acf6d5c0e0c32d935c735c04c40becda5718","benches/sent_packets.rs":"4f32d5c64d6b168b224e928abb647a3b42d54ed18cdec81e6ba6eae61be569bd","benches/transfer.rs":"933cf28a499e1376ce3d9c3130bd2ee69f0da9a99606a95e96328068640d6179","build.rs":"78ec79c93bf13c3a40ceef8bba1ea2eada61c8f2dfc15ea7bf117958d367949c","src/ackrate.rs":"e826470adf7f050bc217fd78df30a4e962787a1621a9116448c142e3a16ca909","src/addr_valid.rs":"53a301a3ab717ef78a886a54611bdcc324b21f1dd4f59e2943ae3978c5980990","src/cc/classic_cc.rs":"c2705695ce42cfdd43dc6f0e908d78b5e0ce20fde38c9033708b060330ac1f31","src/cc/cubic.rs":"1c8eb0a0945874be26a3c144d01fa8427a384c2e1aebafb1d293041811039e24","src/cc/mod.rs":"b290fcda18bc0fab2808a57dc0136b1e8721459175d12de5cf81164920f9b6fb","src/cc/new_reno.rs":"f438b5ab39413f8a9dad3575c6229bbae12140a316d8da34b5dcd9397551d5f7","src/cc/tests/cubic.rs":"79f17c380626b8ec26a8b4e070d2da1c9dd973890f1939afa5c606183a7d7a34","src/cc/tests/mod.rs":"017bf402a9a8c71b5c43343677635644babb57a849d81d0affc328b4b4b9cebb","src/cc/tests/new_reno.rs":"de2919e8c7e7e07fb8e14bb643518180ecf21de11fe76a6a84face9e38fc2122","src/cid.rs":"c20083329534206551c0a7b84bf677af1145d4af25b78640c4e92f37ae89ff52","src/connection/idle.rs":"a7d261859f3b62a2c9dc786367371dd114d6d2060bd32eba221177c07d2c8032","src/connection/mod.rs":"b31177e05d11516c02c983019d44531a2d56b15ccb5c25713e3bf5f5212e23bd","src/connection/params.rs":"ef23708f9b0a7f526e5224ed489055a499909384ef501cb96503e4e98c66dd1b","src/connection/saved.rs":"db677a12e4528a97c4d27e31f0f08d70b8fed0bfad460bbc84c42fa0941b0db3","src/connection/state.rs":"0be17df5d535f4c704d685a439054e7a9f3070ee080d778f4b89a5ae79ff5335","src/connection/test_internal.rs":"f3ebfe97b25c9c716d41406066295e5aff4e96a3051ef4e2b5fb258282bbc14c","src/connection/tests/ackrate.rs":"3a242d85de100dc7500074969fab12a64e62f6a48994a5486d28e15c27c4faa1","src/connection/tests/cc.rs":"e32a5e435435584147a832ef8af610b42e79650d2e3b23dcfea96a2056ca4311","src/connection/tests/close.rs":"c3b858cb403391879f7ed1d46790c65ff3fe05f80ace2cdb8b7128f974537fe7","src/connection/tests/datagram.rs":"7941f1917a78cfabb6f3d1b5fb010215c9278b75a39a2f568c1780304d5e98af","src/connection/tests/ecn.rs":"247cbc07eef9a39ca7c64e092f8237e91e264abd9b10e4e23a1d816c899f59c8","src/connection/tests/handshake.rs":"806bbc8386591276beefcfffeeee7de9da7caf7d97ae59368fda7021aaa948e4","src/connection/tests/idle.rs":"0ddcd7d736e45bc81e25b18e344753d00d53dba06b305006f7150d2446f63687","src/connection/tests/keys.rs":"6ced623655b18fbbd00a6b34663be8eccad0fd7b869029e11b71da3d731f63f6","src/connection/tests/migration.rs":"0c3499c6bb89cb2a89ad4252603292f00339142ce5236fc282351c01fd090886","src/connection/tests/mod.rs":"0b4e2385d376a08e37c4294b12c23e59fffaf973ce8931c4d37f5db03d83cc54","src/connection/tests/null.rs":"d39d34c895c40ea88bcc137cba43c34386ef9759c6f66f3487ffd41a5099feb8","src/connection/tests/priority.rs":"2f9ef42512cd05f5a3b7194b70ba0c25738b6f75901e4ca2258bf2cf2568d23a","src/connection/tests/recovery.rs":"fbc2353b6f9cbe4b047ec782c3a1108552f6f16e19bff29f3d41e7a42aa78060","src/connection/tests/resumption.rs":"1ff6b7005673f3bc9b791059946fbb4bf2b1f2677c737fa215e335e65bd0d582","src/connection/tests/stream.rs":"777e372827632172c5ceb1598f9b18bccf2a0a1ceba442ae09263dda58f0673e","src/connection/tests/vn.rs":"75127c42d20243ad553871b64a22b8c6953ca4d26bc0de898dfab34928d1e647","src/connection/tests/zerortt.rs":"94a5a705283c31f50f68a74c49d4bba4ba2a51d8122d9e50a14a831a902f8578","src/crypto.rs":"312d27efcb6ce334143f1c62ae821e2915f06b18284312de5af41adb9555b513","src/ecn.rs":"1f0ee1cee631ecf08f6db73c909e29609ab513a58d3c7e7a6f3622486dcb8477","src/events.rs":"2c5d9ddef25e7547c9aff9688f4489bcb1788453293692c5bf0681e09d88b685","src/fc.rs":"7fc2a8eaf99235d1dc3734c04c37d8a0b14fe2463d71fbbc9ce2d946ebd0ee3a","src/frame.rs":"a085a0adf7dc319958d49c91462d2c661a547f902d82448fc55c7df86fb6817a","src/lib.rs":"2bfcf602f5a9d83fcd8c90daee6d38403c341a6974dca0347dde057141b6e8e7","src/pace.rs":"a6c6754a21b59b7955a570162f12015bdc65c5f0e497ce650062a5a92d5abb06","src/packet/metadata.rs":"68ee0b9350bcb8bc1078de728e49695cd784a48d106da0128c1006c371d49b84","src/packet/mod.rs":"b68c79515d8ff76cc693fba9b945596ef8b2227a3baccd1c49bccc6b51b4950e","src/packet/retry.rs":"12d4564f9fa682e82fb9604bcace35b478efdd35407c884cff839d9e02d7fadf","src/path.rs":"96c1fedd5c701905112e9aa586efd4bbc2d858b36abc5be12cca1319165c1590","src/pmtud.rs":"304433d6a905946481a04fc765becbfc33ff120f28a96d71d59a3034c39e642d","src/qlog.rs":"0011e04e264032de77470b6dcf57d49aa5d69572c080670e0d8a10f522874f42","src/quic_datagrams.rs":"8c3ad548a184ab8e7039bf180a983815daf490821b98bcd1211fd29eab41f3d6","src/recovery/mod.rs":"852bd9cc8e72ccf059e9ae7600977c024b5c2cca847d08cbac1052075f657229","src/recovery/sent.rs":"f6d4e90c99cf3c77d990748825f65a638bbdfe170d0d09774000ec3b705243e1","src/recovery/token.rs":"5a274b0587c7754344c270d06627b8dd42f556cae0e957a6855a709d130cb4ac","src/recv_stream.rs":"c4feed193f84de9f944d8102b3d49206a3dc52da8c86ca882f41588934e4c5c4","src/rtt.rs":"cbfa57cf7c258126a00d1bc5584cd3ead8a0f6f85be893c4a86497d6cfbe2323","src/send_stream.rs":"baa24dcf37b77e840b40937ae5b1b48692db8632c7e07c22bdbae23056e7bea0","src/sender.rs":"070077996bd07c25abd63d3cf26bee94fd53bbca951ae1e987a7d50558685e53","src/server.rs":"6a5dbfb1115905bda3c98238f9d4bbf6d7f661c3363c2ef0578eef865af6aef6","src/sni.rs":"1cbfd737226ad9b28887fb96793056e1f9e747b3769aea6cfd77da986d8cf2e1","src/stats.rs":"072f7afc190fc9eaf7db05ba84f8a76243d50602c61efece56fde14605012966","src/stream_id.rs":"8b7827e84a77de8107259c68060d095fbdc3fe434eb21eb9f044faedf0c9cbf8","src/streams.rs":"663688d56ddf556276c39c42aa20058d41dafda3458bfc1dc8e3683787853fbb","src/tparams.rs":"2188aea252e52d9a5bbfe05719dac9644af7aacb77a2a8ed1ed3ce865d35c6a2","src/tracking.rs":"53547e384b72175da0ea8cab25dfaa2c4b377ee0c2280c091f097b2aad5781f1","src/version.rs":"3676e8d34211599f344e4b9daa21d3897b3ce56b2cae738bbc6552db03d4bdad","tests/common/mod.rs":"8a2f781a16e74760ea57a09c4fc9adfe6a8ce56a6ecb7b1e9445e37125ea8d88","tests/conn_vectors.rs":"0e4a1b92c02b527842c127b789e70f6c4372c2b61b1a59a8e695f744ce155e2a","tests/connection.rs":"46be10c37090516c2fc4837059b3e5c8caf5ed7db9bc379ecf996a2f6e6b101a","tests/network.rs":"2e49aeca3dd1457758a13a56f48ddcd0d5af921e9aca59ed831b95ef4311dc1b","tests/retry.rs":"4306a4fd1d02449f1675882af1f09901a8ed4fe744a1daae189090292c81711c","tests/server.rs":"327880d12d84c3d164461888bc22311634a28eb0b559583a0126cbca0771fb59","tests/sni.rs":"2cbcfe218f43fa8c0a8da0497d8aed1ca2e590f41071428d85e3c3bca6135063","tests/stats.rs":"af8c1da46e984b55b172118aff4ad33be2375443f405e297d40981e65eb4d0cf"},"package":null} +\ No newline at end of file ++{"files":{"Cargo.toml":"b112e3e53a47e19caa358f4f77cbe1fea81dbceffbe03dd97823295726819a84","benches/min_bandwidth.rs":"11eeb817276c10522159662d1112acae00facbf6a0c8da1d94d0a50583fdf38c","benches/range_tracker.rs":"754871ef02608efab05f00c7dc6ad8ac559d0c2feb2072ea0f036c26b6285a8d","benches/rx_stream_orderer.rs":"2e15891b1db102ed7abdd07d1524acf6d5c0e0c32d935c735c04c40becda5718","benches/sent_packets.rs":"4f32d5c64d6b168b224e928abb647a3b42d54ed18cdec81e6ba6eae61be569bd","benches/transfer.rs":"933cf28a499e1376ce3d9c3130bd2ee69f0da9a99606a95e96328068640d6179","build.rs":"78ec79c93bf13c3a40ceef8bba1ea2eada61c8f2dfc15ea7bf117958d367949c","src/ackrate.rs":"e826470adf7f050bc217fd78df30a4e962787a1621a9116448c142e3a16ca909","src/addr_valid.rs":"53a301a3ab717ef78a886a54611bdcc324b21f1dd4f59e2943ae3978c5980990","src/cc/classic_cc.rs":"c2705695ce42cfdd43dc6f0e908d78b5e0ce20fde38c9033708b060330ac1f31","src/cc/cubic.rs":"1c8eb0a0945874be26a3c144d01fa8427a384c2e1aebafb1d293041811039e24","src/cc/mod.rs":"b290fcda18bc0fab2808a57dc0136b1e8721459175d12de5cf81164920f9b6fb","src/cc/new_reno.rs":"f438b5ab39413f8a9dad3575c6229bbae12140a316d8da34b5dcd9397551d5f7","src/cc/tests/cubic.rs":"79f17c380626b8ec26a8b4e070d2da1c9dd973890f1939afa5c606183a7d7a34","src/cc/tests/mod.rs":"017bf402a9a8c71b5c43343677635644babb57a849d81d0affc328b4b4b9cebb","src/cc/tests/new_reno.rs":"de2919e8c7e7e07fb8e14bb643518180ecf21de11fe76a6a84face9e38fc2122","src/cid.rs":"c20083329534206551c0a7b84bf677af1145d4af25b78640c4e92f37ae89ff52","src/connection/idle.rs":"a7d261859f3b62a2c9dc786367371dd114d6d2060bd32eba221177c07d2c8032","src/connection/mod.rs":"b31177e05d11516c02c983019d44531a2d56b15ccb5c25713e3bf5f5212e23bd","src/connection/params.rs":"ef23708f9b0a7f526e5224ed489055a499909384ef501cb96503e4e98c66dd1b","src/connection/saved.rs":"db677a12e4528a97c4d27e31f0f08d70b8fed0bfad460bbc84c42fa0941b0db3","src/connection/state.rs":"0be17df5d535f4c704d685a439054e7a9f3070ee080d778f4b89a5ae79ff5335","src/connection/test_internal.rs":"f3ebfe97b25c9c716d41406066295e5aff4e96a3051ef4e2b5fb258282bbc14c","src/connection/tests/ackrate.rs":"3a242d85de100dc7500074969fab12a64e62f6a48994a5486d28e15c27c4faa1","src/connection/tests/cc.rs":"e32a5e435435584147a832ef8af610b42e79650d2e3b23dcfea96a2056ca4311","src/connection/tests/close.rs":"c3b858cb403391879f7ed1d46790c65ff3fe05f80ace2cdb8b7128f974537fe7","src/connection/tests/datagram.rs":"7941f1917a78cfabb6f3d1b5fb010215c9278b75a39a2f568c1780304d5e98af","src/connection/tests/ecn.rs":"247cbc07eef9a39ca7c64e092f8237e91e264abd9b10e4e23a1d816c899f59c8","src/connection/tests/handshake.rs":"806bbc8386591276beefcfffeeee7de9da7caf7d97ae59368fda7021aaa948e4","src/connection/tests/idle.rs":"0ddcd7d736e45bc81e25b18e344753d00d53dba06b305006f7150d2446f63687","src/connection/tests/keys.rs":"6ced623655b18fbbd00a6b34663be8eccad0fd7b869029e11b71da3d731f63f6","src/connection/tests/migration.rs":"0c3499c6bb89cb2a89ad4252603292f00339142ce5236fc282351c01fd090886","src/connection/tests/mod.rs":"0b4e2385d376a08e37c4294b12c23e59fffaf973ce8931c4d37f5db03d83cc54","src/connection/tests/null.rs":"d39d34c895c40ea88bcc137cba43c34386ef9759c6f66f3487ffd41a5099feb8","src/connection/tests/priority.rs":"2f9ef42512cd05f5a3b7194b70ba0c25738b6f75901e4ca2258bf2cf2568d23a","src/connection/tests/recovery.rs":"fbc2353b6f9cbe4b047ec782c3a1108552f6f16e19bff29f3d41e7a42aa78060","src/connection/tests/resumption.rs":"1ff6b7005673f3bc9b791059946fbb4bf2b1f2677c737fa215e335e65bd0d582","src/connection/tests/stream.rs":"777e372827632172c5ceb1598f9b18bccf2a0a1ceba442ae09263dda58f0673e","src/connection/tests/vn.rs":"75127c42d20243ad553871b64a22b8c6953ca4d26bc0de898dfab34928d1e647","src/connection/tests/zerortt.rs":"94a5a705283c31f50f68a74c49d4bba4ba2a51d8122d9e50a14a831a902f8578","src/crypto.rs":"3ea51742021e6c4d3b7f69747a80baf35a1166f0a3caac521dc8aa5c3181e40b","src/ecn.rs":"1f0ee1cee631ecf08f6db73c909e29609ab513a58d3c7e7a6f3622486dcb8477","src/events.rs":"2c5d9ddef25e7547c9aff9688f4489bcb1788453293692c5bf0681e09d88b685","src/fc.rs":"7fc2a8eaf99235d1dc3734c04c37d8a0b14fe2463d71fbbc9ce2d946ebd0ee3a","src/frame.rs":"a085a0adf7dc319958d49c91462d2c661a547f902d82448fc55c7df86fb6817a","src/lib.rs":"2bfcf602f5a9d83fcd8c90daee6d38403c341a6974dca0347dde057141b6e8e7","src/pace.rs":"a6c6754a21b59b7955a570162f12015bdc65c5f0e497ce650062a5a92d5abb06","src/packet/metadata.rs":"68ee0b9350bcb8bc1078de728e49695cd784a48d106da0128c1006c371d49b84","src/packet/mod.rs":"b68c79515d8ff76cc693fba9b945596ef8b2227a3baccd1c49bccc6b51b4950e","src/packet/retry.rs":"12d4564f9fa682e82fb9604bcace35b478efdd35407c884cff839d9e02d7fadf","src/path.rs":"96c1fedd5c701905112e9aa586efd4bbc2d858b36abc5be12cca1319165c1590","src/pmtud.rs":"304433d6a905946481a04fc765becbfc33ff120f28a96d71d59a3034c39e642d","src/qlog.rs":"0011e04e264032de77470b6dcf57d49aa5d69572c080670e0d8a10f522874f42","src/quic_datagrams.rs":"8c3ad548a184ab8e7039bf180a983815daf490821b98bcd1211fd29eab41f3d6","src/recovery/mod.rs":"852bd9cc8e72ccf059e9ae7600977c024b5c2cca847d08cbac1052075f657229","src/recovery/sent.rs":"f6d4e90c99cf3c77d990748825f65a638bbdfe170d0d09774000ec3b705243e1","src/recovery/token.rs":"5a274b0587c7754344c270d06627b8dd42f556cae0e957a6855a709d130cb4ac","src/recv_stream.rs":"c4feed193f84de9f944d8102b3d49206a3dc52da8c86ca882f41588934e4c5c4","src/rtt.rs":"cbfa57cf7c258126a00d1bc5584cd3ead8a0f6f85be893c4a86497d6cfbe2323","src/send_stream.rs":"baa24dcf37b77e840b40937ae5b1b48692db8632c7e07c22bdbae23056e7bea0","src/sender.rs":"070077996bd07c25abd63d3cf26bee94fd53bbca951ae1e987a7d50558685e53","src/server.rs":"6a5dbfb1115905bda3c98238f9d4bbf6d7f661c3363c2ef0578eef865af6aef6","src/sni.rs":"1cbfd737226ad9b28887fb96793056e1f9e747b3769aea6cfd77da986d8cf2e1","src/stats.rs":"072f7afc190fc9eaf7db05ba84f8a76243d50602c61efece56fde14605012966","src/stream_id.rs":"8b7827e84a77de8107259c68060d095fbdc3fe434eb21eb9f044faedf0c9cbf8","src/streams.rs":"663688d56ddf556276c39c42aa20058d41dafda3458bfc1dc8e3683787853fbb","src/tparams.rs":"2188aea252e52d9a5bbfe05719dac9644af7aacb77a2a8ed1ed3ce865d35c6a2","src/tracking.rs":"53547e384b72175da0ea8cab25dfaa2c4b377ee0c2280c091f097b2aad5781f1","src/version.rs":"3676e8d34211599f344e4b9daa21d3897b3ce56b2cae738bbc6552db03d4bdad","tests/common/mod.rs":"8a2f781a16e74760ea57a09c4fc9adfe6a8ce56a6ecb7b1e9445e37125ea8d88","tests/conn_vectors.rs":"0e4a1b92c02b527842c127b789e70f6c4372c2b61b1a59a8e695f744ce155e2a","tests/connection.rs":"46be10c37090516c2fc4837059b3e5c8caf5ed7db9bc379ecf996a2f6e6b101a","tests/network.rs":"2e49aeca3dd1457758a13a56f48ddcd0d5af921e9aca59ed831b95ef4311dc1b","tests/retry.rs":"4306a4fd1d02449f1675882af1f09901a8ed4fe744a1daae189090292c81711c","tests/server.rs":"327880d12d84c3d164461888bc22311634a28eb0b559583a0126cbca0771fb59","tests/sni.rs":"2cbcfe218f43fa8c0a8da0497d8aed1ca2e590f41071428d85e3c3bca6135063","tests/stats.rs":"af8c1da46e984b55b172118aff4ad33be2375443f405e297d40981e65eb4d0cf"},"package":null} +\ No newline at end of file +diff --git a/third_party/rust/neqo-transport/src/crypto.rs b/third_party/rust/neqo-transport/src/crypto.rs +index f0ffbc40fa..219d005946 100644 +--- a/third_party/rust/neqo-transport/src/crypto.rs ++++ b/third_party/rust/neqo-transport/src/crypto.rs +@@ -22,7 +22,7 @@ use neqo_crypto::{ + PrivateKey, PublicKey, Record, RecordList, ResumptionToken, SymKey, ZeroRttChecker, + TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_CT_HANDSHAKE, + TLS_GRP_EC_SECP256R1, TLS_GRP_EC_SECP384R1, TLS_GRP_EC_SECP521R1, TLS_GRP_EC_X25519, +- TLS_GRP_KEM_MLKEM768X25519, TLS_VERSION_1_3, ++ TLS_GRP_KEM_MLKEM768X25519, TLS_GRP_KEM_MLKEM768SECP256R1, TLS_VERSION_1_3, + }; + + use crate::{ +@@ -81,6 +81,7 @@ impl Crypto { + ])?; + agent.set_groups(if conn_params.mlkem_enabled() { + &[ ++ TLS_GRP_KEM_MLKEM768SECP256R1, + TLS_GRP_KEM_MLKEM768X25519, + TLS_GRP_EC_X25519, + TLS_GRP_EC_SECP256R1, diff --git a/SOURCES/firefox-integrate-ml-dsa-signature-verification-for-pkix-certificate-chain-validation.patch b/SOURCES/firefox-integrate-ml-dsa-signature-verification-for-pkix-certificate-chain-validation.patch index beb641e..9cb4553 100644 --- a/SOURCES/firefox-integrate-ml-dsa-signature-verification-for-pkix-certificate-chain-validation.patch +++ b/SOURCES/firefox-integrate-ml-dsa-signature-verification-for-pkix-certificate-chain-validation.patch @@ -1,26 +1,24 @@ diff --git a/netwerk/protocol/http/WebTransportCertificateVerifier.cpp b/netwerk/protocol/http/WebTransportCertificateVerifier.cpp -index cc77864..1e978ef 100644 +index cc778640a1..298d6a61e8 100644 --- a/netwerk/protocol/http/WebTransportCertificateVerifier.cpp +++ b/netwerk/protocol/http/WebTransportCertificateVerifier.cpp -@@ -53,6 +53,11 @@ class ServerCertHashesTrustDomain : public mozilla::pkix::TrustDomain { +@@ -53,6 +53,10 @@ class ServerCertHashesTrustDomain : public mozilla::pkix::TrustDomain { mozilla::pkix::Input signature, mozilla::pkix::Input subjectPublicKeyInfo) override; + virtual mozilla::pkix::Result VerifyMLDSASignedData( -+ mozilla::pkix::Input data, -+ mozilla::pkix::Input signature, ++ mozilla::pkix::Input data, mozilla::pkix::Input signature, + mozilla::pkix::Input subjectPublicKeyInfo) override; + virtual mozilla::pkix::Result DigestBuf( mozilla::pkix::Input item, mozilla::pkix::DigestAlgorithm digestAlg, /*out*/ uint8_t* digestBuf, size_t digestBufLen) override; -@@ -151,6 +156,15 @@ mozilla::pkix::Result ServerCertHashesTrustDomain::VerifyECDSASignedData( +@@ -151,6 +155,14 @@ mozilla::pkix::Result ServerCertHashesTrustDomain::VerifyECDSASignedData( return mozilla::pkix::Result::FATAL_ERROR_LIBRARY_FAILURE; } +mozilla::pkix::Result ServerCertHashesTrustDomain::VerifyMLDSASignedData( -+ mozilla::pkix::Input data, -+ mozilla::pkix::Input signature, ++ mozilla::pkix::Input data, mozilla::pkix::Input signature, + mozilla::pkix::Input subjectPublicKeyInfo) { + MOZ_ASSERT_UNREACHABLE("not expecting this to be called"); + @@ -31,27 +29,46 @@ index cc77864..1e978ef 100644 mozilla::pkix::Input item, mozilla::pkix::DigestAlgorithm digestAlg, /*out*/ uint8_t* digestBuf, size_t digestBufLen) { diff --git a/security/certverifier/CertVerifier.cpp b/security/certverifier/CertVerifier.cpp -index ca33077..cb96f58 100644 +index ca330770fb..1e8f1d4996 100644 --- a/security/certverifier/CertVerifier.cpp +++ b/security/certverifier/CertVerifier.cpp -@@ -1048,10 +1048,14 @@ void HashSignatureParams(pkix::Input data, pkix::Input signature, +@@ -7,6 +7,7 @@ + #include "CertVerifier.h" + + #include ++#include + + #include "AppTrustDomain.h" + #include "CTKnownLogs.h" +@@ -1010,7 +1011,7 @@ Result CertVerifier::VerifySSLServerCert( + void HashSignatureParams(pkix::Input data, pkix::Input signature, + pkix::Input subjectPublicKeyInfo, + pkix::der::PublicKeyAlgorithm publicKeyAlgorithm, +- pkix::DigestAlgorithm digestAlgorithm, ++ std::optional digestAlgorithm, + /*out*/ Maybe>& sha512Hash) { + sha512Hash.reset(); + Digest digest; +@@ -1048,10 +1049,14 @@ void HashSignatureParams(pkix::Input data, pkix::Input signature, sizeof(publicKeyAlgorithm)))) { return; } - if (NS_FAILED( -+ // Digest algorithm is expected to be null since ML-DSA is not an hash and -+ // sign algorithm. Skip digestAlgorithm for ML-DSA. -+ if (publicKeyAlgorithm != der::PublicKeyAlgorithm::MLDSA) { -+ if (NS_FAILED( - digest.Update(reinterpret_cast(&digestAlgorithm), - sizeof(digestAlgorithm)))) { +- digest.Update(reinterpret_cast(&digestAlgorithm), +- sizeof(digestAlgorithm)))) { - return; ++ // There is no fallback digest algorithm when it's empty. ++ // Check that digestAlgorithm actually contains a value. ++ if (digestAlgorithm) { ++ pkix::DigestAlgorithm value = digestAlgorithm.value(); ++ if (NS_FAILED(digest.Update(reinterpret_cast(&value), ++ sizeof(value)))) { + return; + } } nsTArray result; if (NS_FAILED(digest.End(result))) { -@@ -1064,12 +1068,19 @@ Result VerifySignedDataWithCache( +@@ -1064,10 +1069,17 @@ Result VerifySignedDataWithCache( der::PublicKeyAlgorithm publicKeyAlg, mozilla::glean::impl::DenominatorMetric telemetryDenominator, mozilla::glean::impl::NumeratorMetric telemetryNumerator, Input data, @@ -68,34 +85,31 @@ index ca33077..cb96f58 100644 + } + HashSignatureParams(data, signature, subjectPublicKeyInfo, publicKeyAlg, -- digestAlgorithm, sha512Hash); -+ digestAlgorithm.value_or(pkix::DigestAlgorithm::sha512), sha512Hash); + digestAlgorithm, sha512Hash); // If hashing the signature parameters succeeded, see if this signature is in - // the signature cache. - if (sha512Hash.isSome() && -@@ -1080,16 +1091,23 @@ Result VerifySignedDataWithCache( +@@ -1080,16 +1092,23 @@ Result VerifySignedDataWithCache( Result result; switch (publicKeyAlg) { case der::PublicKeyAlgorithm::ECDSA: - result = VerifyECDSASignedDataNSS(data, digestAlgorithm, signature, - subjectPublicKeyInfo, pinArg); -+ result = VerifyECDSASignedDataNSS(data, digestAlgorithm.value(), -+ signature, subjectPublicKeyInfo, -+ pinArg); ++ result = ++ VerifyECDSASignedDataNSS(data, digestAlgorithm.value(), signature, ++ subjectPublicKeyInfo, pinArg); break; case der::PublicKeyAlgorithm::RSA_PKCS1: - result = VerifyRSAPKCS1SignedDataNSS(data, digestAlgorithm, signature, - subjectPublicKeyInfo, pinArg); -+ result = VerifyRSAPKCS1SignedDataNSS(data, digestAlgorithm.value(), -+ signature, subjectPublicKeyInfo, -+ pinArg); ++ result = ++ VerifyRSAPKCS1SignedDataNSS(data, digestAlgorithm.value(), signature, ++ subjectPublicKeyInfo, pinArg); break; case der::PublicKeyAlgorithm::RSA_PSS: - result = VerifyRSAPSSSignedDataNSS(data, digestAlgorithm, signature, - subjectPublicKeyInfo, pinArg); -+ result = VerifyRSAPSSSignedDataNSS(data, digestAlgorithm.value(), -+ signature, subjectPublicKeyInfo, -+ pinArg); ++ result = ++ VerifyRSAPSSSignedDataNSS(data, digestAlgorithm.value(), signature, ++ subjectPublicKeyInfo, pinArg); + break; + case der::PublicKeyAlgorithm::MLDSA: + result = VerifyMLDSASignedDataNSS(data, signature, subjectPublicKeyInfo, @@ -104,58 +118,56 @@ index ca33077..cb96f58 100644 default: MOZ_ASSERT_UNREACHABLE("unhandled public key algorithm"); diff --git a/security/certverifier/CertVerifier.h b/security/certverifier/CertVerifier.h -index 6432547..f9a0365 100644 +index 6432547c8a..6e09e6fcdd 100644 --- a/security/certverifier/CertVerifier.h +++ b/security/certverifier/CertVerifier.h -@@ -331,7 +331,7 @@ mozilla::pkix::Result VerifySignedDataWithCache( +@@ -331,7 +331,8 @@ mozilla::pkix::Result VerifySignedDataWithCache( mozilla::pkix::der::PublicKeyAlgorithm publicKeyAlg, mozilla::glean::impl::DenominatorMetric telemetryDenominator, mozilla::glean::impl::NumeratorMetric telemetryNumerator, - mozilla::pkix::Input data, mozilla::pkix::DigestAlgorithm digestAlgorithm, -+ mozilla::pkix::Input data, std::optional digestAlgorithm, ++ mozilla::pkix::Input data, ++ std::optional digestAlgorithm, mozilla::pkix::Input signature, mozilla::pkix::Input subjectPublicKeyInfo, SignatureCache* signatureCache, void* pinArg); diff --git a/security/certverifier/NSSCertDBTrustDomain.cpp b/security/certverifier/NSSCertDBTrustDomain.cpp -index 77c17c1..741892f 100644 +index 70ba17d70f..a3ace3cee7 100644 --- a/security/certverifier/NSSCertDBTrustDomain.cpp +++ b/security/certverifier/NSSCertDBTrustDomain.cpp -@@ -1541,6 +1541,17 @@ Result NSSCertDBTrustDomain::VerifyECDSASignedData( +@@ -1541,6 +1541,15 @@ Result NSSCertDBTrustDomain::VerifyECDSASignedData( signature, subjectPublicKeyInfo, mSignatureCache, mPinArg); } -+Result NSSCertDBTrustDomain::VerifyMLDSASignedData(Input data, -+ Input signature, -+ Input subjectPublicKeyInfo) -+{ ++Result NSSCertDBTrustDomain::VerifyMLDSASignedData(Input data, Input signature, ++ Input subjectPublicKeyInfo) { + return VerifySignedDataWithCache( + der::PublicKeyAlgorithm::MLDSA, + mozilla::glean::cert_signature_cache::total, -+ mozilla::glean::cert_signature_cache::hits, data, std::nullopt, -+ signature, subjectPublicKeyInfo, mSignatureCache, mPinArg); ++ mozilla::glean::cert_signature_cache::hits, data, std::nullopt, signature, ++ subjectPublicKeyInfo, mSignatureCache, mPinArg); +} + Result NSSCertDBTrustDomain::CheckValidityIsAcceptable( Time notBefore, Time notAfter, EndEntityOrCA endEntityOrCA, KeyPurposeId keyPurpose) { diff --git a/security/certverifier/NSSCertDBTrustDomain.h b/security/certverifier/NSSCertDBTrustDomain.h -index fc210f3..8d17a4f 100644 +index fc210f3254..6178201758 100644 --- a/security/certverifier/NSSCertDBTrustDomain.h +++ b/security/certverifier/NSSCertDBTrustDomain.h -@@ -197,6 +197,11 @@ class NSSCertDBTrustDomain : public mozilla::pkix::TrustDomain { +@@ -197,6 +197,10 @@ class NSSCertDBTrustDomain : public mozilla::pkix::TrustDomain { mozilla::pkix::Input signature, mozilla::pkix::Input subjectPublicKeyInfo) override; + virtual Result VerifyMLDSASignedData( -+ mozilla::pkix::Input data, -+ mozilla::pkix::Input signature, ++ mozilla::pkix::Input data, mozilla::pkix::Input signature, + mozilla::pkix::Input subjectPublicKeyInfo) override; + virtual Result DigestBuf(mozilla::pkix::Input item, mozilla::pkix::DigestAlgorithm digestAlg, /*out*/ uint8_t* digestBuf, diff --git a/security/ct/CTLogVerifier.cpp b/security/ct/CTLogVerifier.cpp -index d5e665a..4712137 100644 +index d5e665aaca..471213745d 100644 --- a/security/ct/CTLogVerifier.cpp +++ b/security/ct/CTLogVerifier.cpp @@ -99,6 +99,10 @@ class SignatureParamsTrustDomain final : public TrustDomain { @@ -170,19 +182,16 @@ index d5e665a..4712137 100644 KeyPurposeId) override { return pkix::Result::FATAL_ERROR_LIBRARY_FAILURE; diff --git a/security/ct/tests/gtest/CTTestUtils.cpp b/security/ct/tests/gtest/CTTestUtils.cpp -index 6a25307..03d19f7 100644 +index 6a25307ec3..dbec7adc91 100644 --- a/security/ct/tests/gtest/CTTestUtils.cpp +++ b/security/ct/tests/gtest/CTTestUtils.cpp -@@ -807,6 +807,15 @@ class OCSPExtensionTrustDomain : public TrustDomain { +@@ -807,6 +807,12 @@ class OCSPExtensionTrustDomain : public TrustDomain { subjectPublicKeyInfo, nullptr); } -+ pkix::Result VerifyMLDSASignedData(Input data, -+ Input signature, ++ pkix::Result VerifyMLDSASignedData(Input data, Input signature, + Input subjectPublicKeyInfo) override { -+ return VerifyMLDSASignedDataNSS(data, -+ signature, -+ subjectPublicKeyInfo, ++ return VerifyMLDSASignedDataNSS(data, signature, subjectPublicKeyInfo, + nullptr); + } + @@ -190,20 +199,16 @@ index 6a25307..03d19f7 100644 KeyPurposeId) override { ADD_FAILURE(); diff --git a/security/manager/ssl/AppTrustDomain.cpp b/security/manager/ssl/AppTrustDomain.cpp -index ab49d7e..36e7e19 100644 +index ab49d7eb1f..3963f90eb1 100644 --- a/security/manager/ssl/AppTrustDomain.cpp +++ b/security/manager/ssl/AppTrustDomain.cpp -@@ -322,6 +322,16 @@ pkix::Result AppTrustDomain::VerifyECDSASignedData( +@@ -322,6 +322,12 @@ pkix::Result AppTrustDomain::VerifyECDSASignedData( subjectPublicKeyInfo, nullptr); } -+pkix::Result AppTrustDomain::VerifyMLDSASignedData(Input data, -+ Input signature, -+ Input subjectPublicKeyInfo) -+{ -+ return VerifyMLDSASignedDataNSS(data, -+ signature, -+ subjectPublicKeyInfo, ++pkix::Result AppTrustDomain::VerifyMLDSASignedData(Input data, Input signature, ++ Input subjectPublicKeyInfo) { ++ return VerifyMLDSASignedDataNSS(data, signature, subjectPublicKeyInfo, + nullptr); +} + @@ -211,31 +216,29 @@ index ab49d7e..36e7e19 100644 Time /*notBefore*/, Time /*notAfter*/, EndEntityOrCA /*endEntityOrCA*/, KeyPurposeId /*keyPurpose*/) { diff --git a/security/manager/ssl/AppTrustDomain.h b/security/manager/ssl/AppTrustDomain.h -index 4b0212e..083d5fb 100644 +index 4b0212ede0..85fdff5f13 100644 --- a/security/manager/ssl/AppTrustDomain.h +++ b/security/manager/ssl/AppTrustDomain.h -@@ -80,6 +80,10 @@ class AppTrustDomain final : public mozilla::pkix::TrustDomain { +@@ -80,6 +80,9 @@ class AppTrustDomain final : public mozilla::pkix::TrustDomain { mozilla::pkix::DigestAlgorithm digestAlg, /*out*/ uint8_t* digestBuf, size_t digestBufLen) override; + virtual Result VerifyMLDSASignedData( -+ mozilla::pkix::Input data, -+ mozilla::pkix::Input signature, ++ mozilla::pkix::Input data, mozilla::pkix::Input signature, + mozilla::pkix::Input subjectPublicKeyInfo) override; private: nsTArray> mTrustedRoots; diff --git a/security/manager/ssl/TLSClientAuthCertSelection.cpp b/security/manager/ssl/TLSClientAuthCertSelection.cpp -index 3a84b15..8450076 100644 +index 3a84b15ee6..a3dc5a1af1 100644 --- a/security/manager/ssl/TLSClientAuthCertSelection.cpp +++ b/security/manager/ssl/TLSClientAuthCertSelection.cpp -@@ -217,6 +217,12 @@ class ClientAuthCertNonverifyingTrustDomain final : public TrustDomain { +@@ -217,6 +217,11 @@ class ClientAuthCertNonverifyingTrustDomain final : public TrustDomain { pkix::Input subjectPublicKeyInfo) override { return pkix::Success; } + virtual mozilla::pkix::Result VerifyMLDSASignedData( -+ pkix::Input data, -+ pkix::Input signature, ++ pkix::Input data, pkix::Input signature, + pkix::Input subjectPublicKeyInfo) override { + return pkix::Success; + } diff --git a/SOURCES/wasi.patch b/SOURCES/wasi.patch index cb4dd86..a52dc1d 100644 --- a/SOURCES/wasi.patch +++ b/SOURCES/wasi.patch @@ -6,7 +6,7 @@ diff -up firefox-121.0.1/toolkit/moz.configure.wasi firefox-121.0.1/toolkit/moz. if wasi_sysroot: log.info("Using wasi sysroot in %s", wasi_sysroot) - return ["--sysroot=%s" % wasi_sysroot] -+ return ["--sysroot=%s" % wasi_sysroot, "-nodefaultlibs", "-lc", "-lwasi-emulated-process-clocks", "-lc++", "-lc++abi", "/home/jhorak/r/firefox/firefox-140.4.0-build/firefox-140.4.0/wasi-sdk-20/build/compiler-rt/lib/wasi/libclang_rt.builtins-wasm32.a"] ++ return ["--sysroot=%s" % wasi_sysroot, "-nodefaultlibs", "-lc", "-lwasi-emulated-process-clocks", "-lc++", "-lc++abi", "/home/jhorak/r/firefox/firefox-140.5.0-build/firefox-140.5.0/wasi-sdk-20/build/compiler-rt/lib/wasi/libclang_rt.builtins-wasm32.a"] return [] set_config("WASI_SYSROOT", wasi_sysroot) diff --git a/SPECS/firefox.spec b/SPECS/firefox.spec index 75bb9f6..842fdc0 100644 --- a/SPECS/firefox.spec +++ b/SPECS/firefox.spec @@ -12,6 +12,22 @@ %global run_firefox_tests 0 %endif +%ifarch x86_64 +%if 0%{?rhel} == 7 +# Disable debuginfo package and strip all binaries to avoid 4GB cpio limit +%define _binary_payload w19T16.xzdio +%global debug_package %{nil} +%define _enable_debug_packages 0 +%define __spec_install_post \ + %{__arch_install_post} \ + %{__os_install_post} \ + find %{buildroot}%{mozappdir} -type f -name "*.so" -exec eu-strip --strip-debug {} \\; 2>/dev/null || find %{buildroot}%{mozappdir} -type f -name "*.so" -exec strip --strip-debug {} \\; \ + eu-strip --strip-all %{buildroot}%{mozappdir}/firefox-bin 2>/dev/null || strip --strip-all %{buildroot}%{mozappdir}/firefox-bin || : \ + eu-strip --strip-all %{buildroot}%{mozappdir}/firefox 2>/dev/null || strip --strip-all %{buildroot}%{mozappdir}/firefox || : \ + eu-strip --strip-all %{buildroot}%{mozappdir}/plugin-container 2>/dev/null || strip --strip-all %{buildroot}%{mozappdir}/plugin-container || : +%endif +%endif + # wasi_sdk is for sandboxing third party c/c++ libs by using rlbox, exclude s390x on the f39. %global with_wasi_sdk 0 @@ -175,8 +191,8 @@ end} Summary: Mozilla Firefox Web browser Name: firefox -Version: 140.4.0 -Release: 3%{?dist} +Version: 140.5.0 +Release: 1%{?dist} URL: https://www.mozilla.org/firefox/ License: MPLv1.1 or GPLv2+ or LGPLv2+ @@ -206,7 +222,7 @@ ExcludeArch: aarch64 s390 ppc # Link to original tarball: https://archive.mozilla.org/pub/firefox/releases/%%{version}%%{?pre_version}/source/firefox-%%{version}%%{?pre_version}.source.tar.xz Source0: firefox-%{version}%{?pre_version}%{?buildnum}.processed-source.tar.xz %if %{with langpacks} -Source1: firefox-langpacks-%{version}%{?pre_version}-20251010.tar.xz +Source1: firefox-langpacks-%{version}%{?pre_version}-20251107.tar.xz %endif Source2: cbindgen-vendor.tar.xz Source3: process-official-tarball @@ -291,6 +307,8 @@ Patch122: firefox-enable-ml-dsa-signature-verification-for-certificate-cha Patch123: firefox-adapt-ml-dsa-support-to-rhel-nss.patch # RHEL downstream only - enable ML-DSA in manager/ssl Patch124: firefox-enable-ml-dsa-in-manager-ssl.patch +# RHEL downstream only - add mlkem768-secp256r1 support +Patch125: firefox-add-mlkem768-secp256r1-support.patch # ---- Fedora specific patches ---- Patch151: firefox-enable-addons.patch @@ -1346,6 +1364,7 @@ export LIBCLANG_RT=`pwd`/wasi-sdk-20/build/compiler-rt/lib/wasi/libclang_rt.buil %patch -P122 -p1 -b .enable-ml-dsa-signature-verification-for-certificate-chain-validation %patch -P123 -p1 -b .adapt-ml-dsa-support-to-rhel-nss %patch -P124 -p1 -b .enable-ml-dsa-in-manager-ssl +%patch -P125 -p1 -b .add-mlkem768-secp256r1-support %endif # ---- Fedora specific patches ---- @@ -1667,7 +1686,7 @@ MOZ_LINK_FLAGS="-Wl,--no-keep-memory -Wl,--reduce-memory-overheads" # __global_ldflags that normally sets this. MOZ_LINK_FLAGS="$MOZ_LINK_FLAGS -L%{_libdir}" %endif -%ifarch %{ix86} %{s390x} +%ifarch %{ix86} s390x export RUSTFLAGS="-Cdebuginfo=0" echo 'export RUSTFLAGS="-Cdebuginfo=0"' >> .mozconfig %endif @@ -2109,6 +2128,9 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : #--------------------------------------------------------------------- %changelog +* Fri Nov 7 2025 Jan Horak - 140.5.0-1 +- Update to 140.5.0 ESR + * Fri Oct 10 2025 Jan Horak - 140.4.0-3 - Update to 140.4.0 ESR