.firefox.metadata

@@ -1,8 +1,8 @@
-bc4adac8f38f5103d8f88564a1545063dd8d6402 SOURCES/cbindgen-vendor.tar.xz
-f87e9828496d77af5e879cfd4b493973e3fa2ca5 SOURCES/firefox-140.6.0esr.processed-source.tar.xz
-2c0416681b196b1bf85720e01a30fcea6fbcb19f SOURCES/firefox-langpacks-140.6.0esr-20251202.tar.xz
+5012b69e54cbebe3b5e74011dacf3a2097f49921 SOURCES/cbindgen-vendor.tar.xz
+2549991b68b27b820e92151e48f9f08da0cd55fb SOURCES/firefox-128.5.1esr.processed-source.tar.xz
+76f0794bac607a730ea03dff8f804e09c9e0c962 SOURCES/firefox-langpacks-128.5.1esr-20241202.tar.xz
 2d8a6b2b30d5496735f49ffe8c8a7ede3a78a5ca SOURCES/mochitest-python.tar.gz
-0d0ddbd2a73340b3cbc977997f57222946b1e775 SOURCES/nspr-4.36.0-2.el8_2.src.rpm
-fd3879b176634d66f8ef64d18fdaeec98e140c23 SOURCES/nss-3.112.0-1.el9_4.src.rpm
-c3f0aaef37972107442e2796efad71be3a98ce3c SOURCES/nss-3.112.0-4.el8_2.src.rpm
+d744f92e874688cc4b5376477dfdd639a97a6cd4 SOURCES/nspr-4.35.0-1.el8_1.src.rpm
+f466d7213e85773e002c48897524eaf909480046 SOURCES/nss-3.101.0-7.el8_2.src.rpm
+0413d22a58ba1bba99acec9c3c2a4db56a4100c7 SOURCES/nss-3.101.0-7.el9_2.src.rpm
 0332862626d2148648ff749078c223dbd859d901 SOURCES/wasi-sdk-20.tar.gz

.gitignore

@@ -1,8 +1,8 @@
 SOURCES/cbindgen-vendor.tar.xz
-SOURCES/firefox-140.6.0esr.processed-source.tar.xz
-SOURCES/firefox-langpacks-140.6.0esr-20251202.tar.xz
+SOURCES/firefox-128.5.1esr.processed-source.tar.xz
+SOURCES/firefox-langpacks-128.5.1esr-20241202.tar.xz
 SOURCES/mochitest-python.tar.gz
-SOURCES/nspr-4.36.0-2.el8_2.src.rpm
-SOURCES/nss-3.112.0-1.el9_4.src.rpm
-SOURCES/nss-3.112.0-4.el8_2.src.rpm
+SOURCES/nspr-4.35.0-1.el8_1.src.rpm
+SOURCES/nss-3.101.0-7.el8_2.src.rpm
+SOURCES/nss-3.101.0-7.el9_2.src.rpm
 SOURCES/wasi-sdk-20.tar.gz

SOURCES/D224588.1728128098.diff

@@ -1,7 +1,9 @@
-diff -up firefox-140.0/third_party/libsrtp/src/crypto/cipher/aes_gcm_nss.c.D224588 firefox-140.0/third_party/libsrtp/src/crypto/cipher/aes_gcm_nss.c
---- firefox-140.0/third_party/libsrtp/src/crypto/cipher/aes_gcm_nss.c.D224588	2025-06-25 11:50:45.852066851 +0200
-+++ firefox-140.0/third_party/libsrtp/src/crypto/cipher/aes_gcm_nss.c	2025-06-25 11:50:45.908794290 +0200
-@@ -56,6 +56,7 @@
+diff --git a/third_party/libsrtp/src/crypto/cipher/aes_gcm_nss.c b/third_party/libsrtp/src/crypto/cipher/aes_gcm_nss.c
+--- a/third_party/libsrtp/src/crypto/cipher/aes_gcm_nss.c
++++ b/third_party/libsrtp/src/crypto/cipher/aes_gcm_nss.c
+@@ -54,10 +54,11 @@
+ #include "crypto_types.h"
+ #include "cipher_types.h"
  #include "cipher_test_cases.h"
  #include <secerr.h>
  #include <nspr.h>
@@ -9,10 +11,14 @@ diff -up firefox-140.0/third_party/libsrtp/src/crypto/cipher/aes_gcm_nss.c.D2245
  
  srtp_debug_module_t srtp_mod_aes_gcm = {
      0,            /* debugging is off by default */
-@@ -215,8 +216,13 @@ static srtp_err_status_t srtp_aes_gcm_ns
-     /* explicitly cast away const of key */
-     SECItem key_item = { siBuffer, (unsigned char *)(uintptr_t)key,
-                          c->key_size };
+     "aes gcm nss" /* printable module name       */
+ };
+@@ -211,12 +212,17 @@
+     if (!slot) {
+         return (srtp_err_status_cipher_fail);
+     }
+ 
+     SECItem key_item = { siBuffer, (unsigned char *)key, c->key_size };
 -    c->key = PK11_ImportSymKey(slot, CKM_AES_GCM, PK11_OriginUnwrap,
 -                               CKA_ENCRYPT, &key_item, NULL);
 +    if (PK11_IsFIPS()) {
@@ -25,10 +31,14 @@ diff -up firefox-140.0/third_party/libsrtp/src/crypto/cipher/aes_gcm_nss.c.D2245
      PK11_FreeSlot(slot);
  
      if (!c->key) {
-diff -up firefox-140.0/third_party/libsrtp/src/crypto/cipher/aes_icm_nss.c.D224588 firefox-140.0/third_party/libsrtp/src/crypto/cipher/aes_icm_nss.c
---- firefox-140.0/third_party/libsrtp/src/crypto/cipher/aes_icm_nss.c.D224588	2025-06-17 18:15:28.000000000 +0200
-+++ firefox-140.0/third_party/libsrtp/src/crypto/cipher/aes_icm_nss.c	2025-06-25 11:50:45.909171218 +0200
-@@ -53,6 +53,7 @@
+         return (srtp_err_status_cipher_fail);
+     }
+diff --git a/third_party/libsrtp/src/crypto/cipher/aes_icm_nss.c b/third_party/libsrtp/src/crypto/cipher/aes_icm_nss.c
+--- a/third_party/libsrtp/src/crypto/cipher/aes_icm_nss.c
++++ b/third_party/libsrtp/src/crypto/cipher/aes_icm_nss.c
+@@ -51,10 +51,11 @@
+ #include "crypto_types.h"
+ #include "err.h" /* for srtp_debug */
  #include "alloc.h"
  #include "cipher_types.h"
  #include "cipher_test_cases.h"
@@ -36,10 +46,14 @@ diff -up firefox-140.0/third_party/libsrtp/src/crypto/cipher/aes_icm_nss.c.D2245
  
  srtp_debug_module_t srtp_mod_aes_icm = {
      0,            /* debugging is off by default */
-@@ -257,8 +258,13 @@ static srtp_err_status_t srtp_aes_icm_ns
-     /* explicitly cast away const of key */
-     SECItem keyItem = { siBuffer, (unsigned char *)(uintptr_t)key,
-                         c->key_size };
+     "aes icm nss" /* printable module name       */
+ };
+@@ -252,12 +253,17 @@
+     if (!slot) {
+         return srtp_err_status_bad_param;
+     }
+ 
+     SECItem keyItem = { siBuffer, (unsigned char *)key, c->key_size };
 -    c->key = PK11_ImportSymKey(slot, CKM_AES_CTR, PK11_OriginUnwrap,
 -                               CKA_ENCRYPT, &keyItem, NULL);
 +    if (PK11_IsFIPS()) {
@@ -52,9 +66,12 @@ diff -up firefox-140.0/third_party/libsrtp/src/crypto/cipher/aes_icm_nss.c.D2245
      PK11_FreeSlot(slot);
  
      if (!c->key) {
-diff -up firefox-140.0/third_party/libsrtp/src/crypto/include/nss_fips.h.D224588 firefox-140.0/third_party/libsrtp/src/crypto/include/nss_fips.h
---- firefox-140.0/third_party/libsrtp/src/crypto/include/nss_fips.h.D224588	2025-06-25 11:50:45.909524312 +0200
-+++ firefox-140.0/third_party/libsrtp/src/crypto/include/nss_fips.h	2025-06-25 11:50:45.909524312 +0200
+         return srtp_err_status_cipher_fail;
+     }
+diff --git a/third_party/libsrtp/src/crypto/include/nss_fips.h b/third_party/libsrtp/src/crypto/include/nss_fips.h
+new file mode 100644
+--- /dev/null
++++ b/third_party/libsrtp/src/crypto/include/nss_fips.h
 @@ -0,0 +1,148 @@
 +/*
 + * Copyright (c) 2024, Red Hat, Inc.
@@ -204,3 +221,4 @@ diff -up firefox-140.0/third_party/libsrtp/src/crypto/include/nss_fips.h.D224588
 + }
 +
 +#endif // NSS_FIPS_H
+

SOURCES/D245908.clear-lang-bundles.diff

@@ -1,16 +0,0 @@
-diff --git a/intl/strres/nsStringBundle.cpp b/intl/strres/nsStringBundle.cpp
---- a/intl/strres/nsStringBundle.cpp
-+++ b/intl/strres/nsStringBundle.cpp
-@@ -753,10 +753,11 @@
-                                const char16_t* aSomeData) {
-   if (strcmp("profile-do-change", aTopic) == 0 ||
-       strcmp("chrome-flush-caches", aTopic) == 0 ||
-       strcmp("intl:app-locales-changed", aTopic) == 0) {
-     flushBundleCache(/* ignoreShared = */ false);
-+    mBundleMap.Clear();
-   } else if (strcmp("memory-pressure", aTopic) == 0) {
-     flushBundleCache(/* ignoreShared = */ true);
-   }
- 
-   return NS_OK;
-

SOURCES/D249071.restoreWinState.diff

@@ -1,53 +0,0 @@
-diff --git a/modules/libpref/init/StaticPrefList.yaml b/modules/libpref/init/StaticPrefList.yaml
---- a/modules/libpref/init/StaticPrefList.yaml
-+++ b/modules/libpref/init/StaticPrefList.yaml
-@@ -1762,10 +1762,16 @@
- - name: browser.privatebrowsing.forceMediaMemoryCache
-   type: bool
-   value: false
-   mirror: always
- 
-+# Disable state restoration, allowing the kiosk desktop environment to manage state and position.
-+- name: browser.restoreWindowState.disabled
-+  type: bool
-+  value: false
-+  mirror: always
-+
- # Communicates the toolbar color to platform (for e.g., prefers-color-scheme).
- #
- # Returns whether the toolbar is dark (0), light (1), or system (2). The
- # theming code overrides it if appropriate.
- - name: browser.theme.toolbar-theme
-diff --git a/xpfe/appshell/AppWindow.cpp b/xpfe/appshell/AppWindow.cpp
---- a/xpfe/appshell/AppWindow.cpp
-+++ b/xpfe/appshell/AppWindow.cpp
-@@ -58,10 +58,11 @@
- #include "mozilla/AutoRestore.h"
- #include "mozilla/Preferences.h"
- #include "mozilla/PresShell.h"
- #include "mozilla/Services.h"
- #include "mozilla/SpinEventLoopUntil.h"
-+#include "mozilla/StaticPrefs_browser.h"
- #include "mozilla/dom/BarProps.h"
- #include "mozilla/dom/DOMRect.h"
- #include "mozilla/dom/Element.h"
- #include "mozilla/dom/Event.h"
- #include "mozilla/dom/ScriptSettings.h"
-@@ -2393,10 +2394,16 @@
-   nsCOMPtr<dom::Element> docShellElement = GetWindowDOMElement();
-   if (!docShellElement) {
-     return;
-   }
- 
-+  // Disable state restoration, allowing the kiosk desktop environment
-+  // to manage state and position.
-+  if (StaticPrefs::browser_restoreWindowState_disabled()) {
-+    return;
-+  }
-+
-   // Check if the window wants to persist anything.
-   nsAutoString persist;
-   docShellElement->GetAttr(nsGkAtoms::persist, persist);
-   if (persist.IsEmpty()) {
-     return;
-

SOURCES/D266159.1760530435.diff

@@ -1,19 +0,0 @@
-diff --git a/gfx/webrender_bindings/RenderCompositorSWGL.cpp b/gfx/webrender_bindings/RenderCompositorSWGL.cpp
---- a/gfx/webrender_bindings/RenderCompositorSWGL.cpp
-+++ b/gfx/webrender_bindings/RenderCompositorSWGL.cpp
-@@ -76,12 +76,14 @@
-     const wr::DeviceIntRect* aOpaqueRects, size_t aNumOpaqueRects) {
-   // Request a new draw target to use from the widget...
-   MOZ_ASSERT(!mDT);
-   mDT = mWidget->StartRemoteDrawingInRegion(mDirtyRegion);
-   if (!mDT) {
-+#if !defined(MOZ_WAYLAND)
-     gfxCriticalNoteOnce
-         << "RenderCompositorSWGL failed mapping default framebuffer, no dt";
-+#endif
-     return false;
-   }
-   // Attempt to lock the underlying buffer directly from the draw target.
-   // Verify that the size at least matches what the widget claims and that
-   // the format is BGRA8 as SWGL requires.
-

SOURCES/av1-else-condition-add.patch

@@ -1,14 +0,0 @@
-diff --git a/modules/libpref/init/StaticPrefList.yaml b/modules/libpref/init/StaticPrefList.yaml
-index acadd3a2cc..11b217174d 100644
---- a/modules/libpref/init/StaticPrefList.yaml
-+++ b/modules/libpref/init/StaticPrefList.yaml
-@@ -12561,6 +12561,8 @@
-   type: RelaxedAtomicBool
- #if defined(MOZ_AV1)
-   value: true
-+#else
-+  value: false
- #endif
-   mirror: always
- 
-

SOURCES/build-ffvpx.patch

@@ -1,24 +1,24 @@
-diff -up firefox-140.1.0/media/ffvpx/libavcodec/av1dec.c.build-ffvpx firefox-140.1.0/media/ffvpx/libavcodec/av1dec.c
---- firefox-140.1.0/media/ffvpx/libavcodec/av1dec.c.build-ffvpx	2025-07-14 19:14:53.000000000 +0200
-+++ firefox-140.1.0/media/ffvpx/libavcodec/av1dec.c	2025-07-31 13:02:48.131126439 +0200
-@@ -904,7 +904,7 @@ static av_cold int av1_decode_init(AVCod
+diff -up thunderbird-128.0/media/ffvpx/libavcodec/av1dec.c.build-ffvpx thunderbird-128.0/media/ffvpx/libavcodec/av1dec.c
+--- thunderbird-128.0/media/ffvpx/libavcodec/av1dec.c.build-ffvpx	2024-06-24 22:43:40.000000000 +0200
++++ thunderbird-128.0/media/ffvpx/libavcodec/av1dec.c	2024-07-10 11:20:23.200948767 +0200
+@@ -887,7 +887,7 @@ static av_cold int av1_decode_init(AVCod
          ff_cbs_fragment_reset(&s->current_obu);
      }
  
 -    s->dovi.logctx = avctx;
 +    s->dovi.logctx = (AVContext *) avctx;
-     s->dovi.cfg.dv_profile = 10; // default for AV1
+     s->dovi.dv_profile = 10; // default for AV1
      sd = ff_get_coded_side_data(avctx, AV_PKT_DATA_DOVI_CONF);
-     if (sd && sd->size >= sizeof(s->dovi.cfg))
-diff -up firefox-140.1.0/media/ffvpx/libavcodec/libdav1d.c.build-ffvpx firefox-140.1.0/media/ffvpx/libavcodec/libdav1d.c
---- firefox-140.1.0/media/ffvpx/libavcodec/libdav1d.c.build-ffvpx	2025-07-14 19:14:54.000000000 +0200
-+++ firefox-140.1.0/media/ffvpx/libavcodec/libdav1d.c	2025-07-31 13:03:08.395175190 +0200
-@@ -293,7 +293,7 @@ static av_cold int libdav1d_init(AVCodec
+     if (sd && sd->size > 0)
+diff -up thunderbird-128.0/media/ffvpx/libavcodec/libdav1d.c.build-ffvpx thunderbird-128.0/media/ffvpx/libavcodec/libdav1d.c
+--- thunderbird-128.0/media/ffvpx/libavcodec/libdav1d.c.build-ffvpx	2024-07-10 12:46:57.005539959 +0200
++++ thunderbird-128.0/media/ffvpx/libavcodec/libdav1d.c	2024-07-10 12:47:19.067507705 +0200
+@@ -289,7 +289,7 @@ static av_cold int libdav1d_init(AVCodec
      c->delay = res > 1 ? res : 0;
  #endif
  
 -    dav1d->dovi.logctx = c;
 +    dav1d->dovi.logctx = (AVContext *) c;
-     dav1d->dovi.cfg.dv_profile = 10; // default for AV1
+     dav1d->dovi.dv_profile = 10; // default for AV1
      sd = ff_get_coded_side_data(c, AV_PKT_DATA_DOVI_CONF);
-     if (sd && sd->size >= sizeof(dav1d->dovi.cfg))
+     if (sd && sd->size > 0)

SOURCES/build-libaom.patch

@@ -1,13 +1,12 @@
 diff -up firefox-128.0/config/external/moz.build.libaom firefox-128.0/config/external/moz.build
 --- firefox-128.0/config/external/moz.build.libaom	2024-07-31 15:32:39.460374047 +0200
 +++ firefox-128.0/config/external/moz.build	2024-07-31 15:34:41.646064796 +0200
-@@ -39,9 +39,9 @@ if CONFIG["MOZ_VORBIS"]:
- 
+@@ -39,8 +39,8 @@ if CONFIG["MOZ_VORBIS"]:
  if not CONFIG["MOZ_SYSTEM_LIBVPX"]:
      external_dirs += ["media/libvpx"]
-+external_dirs += ["media/libaom"]
  
- if not CONFIG["MOZ_SYSTEM_AV1"]:
++external_dirs += ["media/libaom"]
+ if CONFIG["MOZ_AV1"]:
 -    external_dirs += ["media/libaom"]
      external_dirs += ["media/libdav1d"]
  

SOURCES/build-rhel7-lower-node-min-version.patch

@@ -1,9 +1,8 @@
-diff -up firefox-140.0/python/mozbuild/mozbuild/nodeutil.py.build-rhel7-lower-node-min-version firefox-140.0/python/mozbuild/mozbuild/nodeutil.py
---- firefox-140.0/python/mozbuild/mozbuild/nodeutil.py.build-rhel7-lower-node-min-version	2025-06-02 15:26:51.000000000 +0200
-+++ firefox-140.0/python/mozbuild/mozbuild/nodeutil.py	2025-06-12 11:54:37.075505124 +0200
-@@ -10,7 +10,7 @@ from mozboot.util import get_tools_dir
- from mozfile import which
+--- firefox-115.8.0/python/mozbuild/mozbuild/nodeutil.py.lower-node-min-version	2024-02-12 21:53:56.000000000 +0200
++++ firefox-115.8.0/python/mozbuild/mozbuild/nodeutil.py	2024-02-14 16:48:12.476182627 +0200
+@@ -13,7 +13,7 @@ from mozboot.util import get_tools_dir
  from packaging.version import Version
+ from six import PY3
  
 -NODE_MIN_VERSION = Version("12.22.12")
 +NODE_MIN_VERSION = Version("10.24.0")

SOURCES/build-rhel7-nasm-dwarf.patch

@@ -1,12 +1,12 @@
-diff -up firefox-140.0/python/mozbuild/mozbuild/frontend/context.py.build-rhel7-nasm-dwarf firefox-140.0/python/mozbuild/mozbuild/frontend/context.py
---- firefox-140.0/python/mozbuild/mozbuild/frontend/context.py.build-rhel7-nasm-dwarf	2025-06-02 15:26:51.000000000 +0200
-+++ firefox-140.0/python/mozbuild/mozbuild/frontend/context.py	2025-06-12 12:09:56.398728745 +0200
-@@ -417,7 +417,7 @@ class AsmFlags(BaseCompileFlags):
+diff -up firefox-91.0.1/python/mozbuild/mozbuild/frontend/context.py.rhel7-nasm firefox-91.0.1/python/mozbuild/mozbuild/frontend/context.py
+--- firefox-91.0.1/python/mozbuild/mozbuild/frontend/context.py.rhel7-nasm	2021-08-31 08:02:10.814740774 +0200
++++ firefox-91.0.1/python/mozbuild/mozbuild/frontend/context.py	2021-08-31 08:04:03.967146994 +0200
+@@ -420,7 +420,7 @@ class AsmFlags(BaseCompileFlags):
                  if self._context.config.substs.get("OS_ARCH") == "WINNT":
                      debug_flags += ["-F", "cv8"]
                  elif self._context.config.substs.get("OS_ARCH") != "Darwin":
 -                    debug_flags += ["-F", "dwarf"]
-+                    debug_flags += ["-F", "elf32"]
-             elif self._context.config.substs.get("CC_TYPE") == "clang-cl":
-                 if self._context.config.substs.get("TARGET_CPU") == "aarch64":
-                     # armasm64 accepts a paucity of options compared to ml/ml64.
++                    debug_flags += ["-f", "elf32"]
+             elif (
+                 self._context.config.substs.get("OS_ARCH") == "WINNT"
+                 and self._context.config.substs.get("CPU_ARCH") == "aarch64"

SOURCES/build-system-nss.patch

@@ -1,20 +0,0 @@
-diff -up firefox-140.0/third_party/rust/neqo-crypto/.cargo-checksum.json.system-nss firefox-140.0/third_party/rust/neqo-crypto/.cargo-checksum.json
---- firefox-140.0/third_party/rust/neqo-crypto/.cargo-checksum.json.system-nss	2025-07-25 10:17:19.112202464 +0200
-+++ firefox-140.0/third_party/rust/neqo-crypto/.cargo-checksum.json	2025-07-25 10:17:55.824333955 +0200
-@@ -1 +1 @@
--{"files":{"Cargo.toml":"a57adef48614a58209447e8bd115a2de3d8a42917a0b9a2ae9a97cabc3400c6a","bindings/bindings.toml":"e7e4b75736cfcf4d52febacb99a6f6c6c7b1d648ed8bdc424648be876c850e91","bindings/nspr_err.h":"2d5205d017b536c2d838bcf9bc4ec79f96dd50e7bb9b73892328781f1ee6629d","bindings/nspr_error.h":"e41c03c77b8c22046f8618832c9569fbcc7b26d8b9bbc35eea7168f35e346889","bindings/nspr_io.h":"085b289849ef0e77f88512a27b4d9bdc28252bd4d39c6a17303204e46ef45f72","bindings/nspr_time.h":"2e637fd338a5cf0fd3fb0070a47f474a34c2a7f4447f31b6875f5a9928d0a261","bindings/nss_ciphers.h":"95ec6344a607558b3c5ba8510f463b6295f3a2fb3f538a01410531045a5f62d1","bindings/nss_init.h":"ef49045063782fb612aff459172cc6a89340f15005808608ade5320ca9974310","bindings/nss_p11.h":"0b81e64fe6db49b2ecff94edd850be111ef99ec11220e88ceb1c67be90143a78","bindings/nss_secerr.h":"713e8368bdae5159af7893cfa517dabfe5103cede051dee9c9557c850a2defc6","bindings/nss_ssl.h":"af222fb957b989e392e762fa2125c82608a0053aff4fb97e556691646c88c335","bindings/nss_sslerr.h":"24b97f092183d8486f774cdaef5030d0249221c78343570d83a4ee5b594210ae","bindings/nss_sslopt.h":"b7807eb7abdad14db6ad7bc51048a46b065a0ea65a4508c95a12ce90e59d1eea","build.rs":"2f54f79958878ed7988441955344dd1a2a079b1bb409e8f12a70284fd7e351ef","min_version.txt":"0f9ddf9ddaeb5137a5ab3d238d06286822f9579b1f46ba76312a8c6d76176500","src/aead.rs":"08d7cad82e3bec32661cfd1689e6611b30ae328ec88481cb32201dd255777365","src/aead_null.rs":"a766e2f71fd8b77a8f81bc60aaaafcffb6aef1f0a1f39ea07fef45b3696718ce","src/agent.rs":"ec90d7556231c57da3a191f508eaf1f820f22d6b7912ee45d1a594eb0fea7a82","src/agentio.rs":"1baecfb725b54717a6a74bb4664692d187f62747cc5e0495f59b06729f96dea2","src/auth.rs":"7a1524bef0a0c71616f5ee8b3976d66201210b809271bcf5d06c0e560ae482af","src/cert.rs":"4fdaa3834d8a72f41198449010fd5c3f6be6a54e429427c37bde5aab9421585c","src/constants.rs":"83606aeb646b2833a8094f9d980c266ecc3e8cb40c93a4820da221988319dd1a","src/ech.rs":"19d16af5a30e2060a8942a72487bd820c0d9c62ff1d3c490871752c56781c44b","src/err.rs":"4c7d0b46955b58aa9375210c2c5d24012056c3ad8a856b72d2c7c9542cc97046","src/exp.rs":"cd864fb5a61cd1472baa5b1d0951fc712753c22d21af83ebed09a01585f33b48","src/ext.rs":"a5676f8b9815cc7f6ed1da6fea091cf8754d8b80e90d37b726e905abe18930f8","src/hkdf.rs":"76c5abc8b2d6ee12d8a86cd730af2cf47a59b2fbfd3b8a635a1826636156794d","src/hp.rs":"6adf4ad78b5a065ab7310c69ad239eec156256043e2c185bf60b9d1f12ab1be4","src/lib.rs":"3ab979c264a909e663c5ef140cd57013180745b99937671c73a9003ca6347f41","src/min_version.rs":"c6e1f98b9f56db0622ac38c1be131c55acf4a0f09ed0d6283f4d6308e2d1301a","src/p11.rs":"49bcde067e55228dab483bd11b70dc29d40dc3c59fa60136daccb205dc468df0","src/prio.rs":"1858088afd2668e8fbff56959765b7d4df09342371b9282ade27bb4d7bd6ce69","src/replay.rs":"594ce92f368cbc5fb71ebfb62214f07d1e86df8e5ce94255d5593ffabb91cd03","src/result.rs":"5a76688787741de7a935dbbab4bcb917d481d1c9c50a34df7e510036feb3da17","src/secrets.rs":"5d85b1e15f47cd267fe70fa8ea7e4ebc4b07eab7713f451afeefcf15f146f8a5","src/selfencrypt.rs":"4f106465f582c38d3bb04cb5cbcbf65a349e3186784726d9f2bf511a4a4a35ee","src/ssl.rs":"04950bb534b5304eb417909a3a39ebaa9be234c7c13eacdc41c00a8edab1b09f","src/time.rs":"22989caf3dab85cfe955cc279fcca98a6df02d14fcd0e93cac7b39374b8b5763","tests/aead.rs":"e36ae77802df1ea6d17cfd1bd2178a3706089577d6fd1554ca86e748b8b235b9","tests/agent.rs":"fb95a2d5c86ce3fafcb127cd0a2a163e5ee70baf09b2c8483e4d1fb25644cee2","tests/ext.rs":"57af4e2df211fa8afdb73125d4344ef5c70c1ea4579107c3e6f5746308ee3e7b","tests/handshake.rs":"df8a901048268a390785e05e28cbc97b82e41e47d7eab2d5c0a57e434ca1adcf","tests/hkdf.rs":"1d2098dc8398395864baf13e4886cfd1da6d36118727c3b264f457ee3da6b048","tests/hp.rs":"7ee5d7290a3f61af67ad2c94670cba376027136370d9784948db655b7e00fe54","tests/init.rs":"3cfe8411ca31ad7dfb23822bb1570e1a5b2b334857173bdd7df086b65b81d95a","tests/selfencrypt.rs":"b65aed70e83dce660017159fc8a956d3b52e0807b590ad8d0a3a4265caa8c1fa"},"package":null}
-\ No newline at end of file
-+{"files":{"Cargo.toml":"a57adef48614a58209447e8bd115a2de3d8a42917a0b9a2ae9a97cabc3400c6a","bindings/bindings.toml":"e7e4b75736cfcf4d52febacb99a6f6c6c7b1d648ed8bdc424648be876c850e91","bindings/nspr_err.h":"2d5205d017b536c2d838bcf9bc4ec79f96dd50e7bb9b73892328781f1ee6629d","bindings/nspr_error.h":"e41c03c77b8c22046f8618832c9569fbcc7b26d8b9bbc35eea7168f35e346889","bindings/nspr_io.h":"085b289849ef0e77f88512a27b4d9bdc28252bd4d39c6a17303204e46ef45f72","bindings/nspr_time.h":"2e637fd338a5cf0fd3fb0070a47f474a34c2a7f4447f31b6875f5a9928d0a261","bindings/nss_ciphers.h":"95ec6344a607558b3c5ba8510f463b6295f3a2fb3f538a01410531045a5f62d1","bindings/nss_init.h":"ef49045063782fb612aff459172cc6a89340f15005808608ade5320ca9974310","bindings/nss_p11.h":"0b81e64fe6db49b2ecff94edd850be111ef99ec11220e88ceb1c67be90143a78","bindings/nss_secerr.h":"713e8368bdae5159af7893cfa517dabfe5103cede051dee9c9557c850a2defc6","bindings/nss_ssl.h":"af222fb957b989e392e762fa2125c82608a0053aff4fb97e556691646c88c335","bindings/nss_sslerr.h":"24b97f092183d8486f774cdaef5030d0249221c78343570d83a4ee5b594210ae","bindings/nss_sslopt.h":"b7807eb7abdad14db6ad7bc51048a46b065a0ea65a4508c95a12ce90e59d1eea","build.rs":"2f54f79958878ed7988441955344dd1a2a079b1bb409e8f12a70284fd7e351ef","min_version.txt":"0f9ddf9ddaeb5137a5ab3d238d06286822f9579b1f46ba76312a8c6d76176500","src/aead.rs":"08d7cad82e3bec32661cfd1689e6611b30ae328ec88481cb32201dd255777365","src/aead_null.rs":"a766e2f71fd8b77a8f81bc60aaaafcffb6aef1f0a1f39ea07fef45b3696718ce","src/agent.rs":"ec90d7556231c57da3a191f508eaf1f820f22d6b7912ee45d1a594eb0fea7a82","src/agentio.rs":"1baecfb725b54717a6a74bb4664692d187f62747cc5e0495f59b06729f96dea2","src/auth.rs":"7a1524bef0a0c71616f5ee8b3976d66201210b809271bcf5d06c0e560ae482af","src/cert.rs":"4fdaa3834d8a72f41198449010fd5c3f6be6a54e429427c37bde5aab9421585c","src/constants.rs":"50c1b84e06cd9a71bb9199f2518947a4d4ad3e5c33c1b86c585486dc43e872a0","src/ech.rs":"19d16af5a30e2060a8942a72487bd820c0d9c62ff1d3c490871752c56781c44b","src/err.rs":"4c7d0b46955b58aa9375210c2c5d24012056c3ad8a856b72d2c7c9542cc97046","src/exp.rs":"cd864fb5a61cd1472baa5b1d0951fc712753c22d21af83ebed09a01585f33b48","src/ext.rs":"a5676f8b9815cc7f6ed1da6fea091cf8754d8b80e90d37b726e905abe18930f8","src/hkdf.rs":"76c5abc8b2d6ee12d8a86cd730af2cf47a59b2fbfd3b8a635a1826636156794d","src/hp.rs":"6adf4ad78b5a065ab7310c69ad239eec156256043e2c185bf60b9d1f12ab1be4","src/lib.rs":"3ab979c264a909e663c5ef140cd57013180745b99937671c73a9003ca6347f41","src/min_version.rs":"c6e1f98b9f56db0622ac38c1be131c55acf4a0f09ed0d6283f4d6308e2d1301a","src/p11.rs":"49bcde067e55228dab483bd11b70dc29d40dc3c59fa60136daccb205dc468df0","src/prio.rs":"1858088afd2668e8fbff56959765b7d4df09342371b9282ade27bb4d7bd6ce69","src/replay.rs":"594ce92f368cbc5fb71ebfb62214f07d1e86df8e5ce94255d5593ffabb91cd03","src/result.rs":"5a76688787741de7a935dbbab4bcb917d481d1c9c50a34df7e510036feb3da17","src/secrets.rs":"5d85b1e15f47cd267fe70fa8ea7e4ebc4b07eab7713f451afeefcf15f146f8a5","src/selfencrypt.rs":"4f106465f582c38d3bb04cb5cbcbf65a349e3186784726d9f2bf511a4a4a35ee","src/ssl.rs":"04950bb534b5304eb417909a3a39ebaa9be234c7c13eacdc41c00a8edab1b09f","src/time.rs":"22989caf3dab85cfe955cc279fcca98a6df02d14fcd0e93cac7b39374b8b5763","tests/aead.rs":"e36ae77802df1ea6d17cfd1bd2178a3706089577d6fd1554ca86e748b8b235b9","tests/agent.rs":"fb95a2d5c86ce3fafcb127cd0a2a163e5ee70baf09b2c8483e4d1fb25644cee2","tests/ext.rs":"57af4e2df211fa8afdb73125d4344ef5c70c1ea4579107c3e6f5746308ee3e7b","tests/handshake.rs":"df8a901048268a390785e05e28cbc97b82e41e47d7eab2d5c0a57e434ca1adcf","tests/hkdf.rs":"1d2098dc8398395864baf13e4886cfd1da6d36118727c3b264f457ee3da6b048","tests/hp.rs":"7ee5d7290a3f61af67ad2c94670cba376027136370d9784948db655b7e00fe54","tests/init.rs":"3cfe8411ca31ad7dfb23822bb1570e1a5b2b334857173bdd7df086b65b81d95a","tests/selfencrypt.rs":"b65aed70e83dce660017159fc8a956d3b52e0807b590ad8d0a3a4265caa8c1fa"},"package":null}
-\ No newline at end of file
-diff -up firefox-140.0/third_party/rust/neqo-crypto/src/constants.rs.system-nss firefox-140.0/third_party/rust/neqo-crypto/src/constants.rs
---- firefox-140.0/third_party/rust/neqo-crypto/src/constants.rs.system-nss	2025-07-25 10:16:27.299270237 +0200
-+++ firefox-140.0/third_party/rust/neqo-crypto/src/constants.rs	2025-07-25 10:16:39.698529915 +0200
-@@ -83,7 +83,7 @@ remap_enum! {
-         TLS_GRP_EC_SECP521R1 = ssl_grp_ec_secp521r1,
-         TLS_GRP_EC_X25519 = ssl_grp_ec_curve25519,
-         TLS_GRP_KEM_XYBER768D00 = ssl_grp_kem_xyber768d00,
--        TLS_GRP_KEM_MLKEM768X25519 = ssl_grp_kem_mlkem768x25519,
-+        TLS_GRP_KEM_MLKEM768X25519 = ssl_grp_kem_x25519mlkem768,
-     }
- }
- 

SOURCES/build-workaround-s390x.patch

@@ -1,49 +0,0 @@
-From 13858b4787c24a40cdce819b963baebff186cfe0 Mon Sep 17 00:00:00 2001
-From: Paul Murphy <murp@redhat.com>
-Date: Tue, 25 Nov 2025 08:55:25 -0600
-Subject: [PATCH] HACK: workaround s390x
-
-Attempt to workaround what seems to be a codegen related bug on s390x.
-
-This seems to avoid a crash related to Ident or Punct structures on
-s390x.
-
-For: RHEL-118250
----
- third_party/rust/proc-macro2/.cargo-checksum.json | 2 +-
- third_party/rust/proc-macro2/src/lib.rs           | 4 ++++
- 2 files changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/third_party/rust/proc-macro2/.cargo-checksum.json b/third_party/rust/proc-macro2/.cargo-checksum.json
-index b0d735a3a2d6..c47ce4ac5611 100644
---- a/third_party/rust/proc-macro2/.cargo-checksum.json
-+++ b/third_party/rust/proc-macro2/.cargo-checksum.json
-@@ -1 +1 @@
--{"files":{"Cargo.toml":"41a9465146a2b62a642e29f065718649e686d3c9585736596392dd941c9b0bef","LICENSE-APACHE":"62c7a1e35f56406896d7aa7ca52d0cc0d272ac022b5d2796e7d6905db8a3636a","LICENSE-MIT":"23f18e03dc49df91622fe2a76176497404e46ced8a715d9d2b67a7446571cca3","README.md":"c609b6865476d6c35879784e9155367a97a0da496aa5c3c61488440a20f59883","build.rs":"cf78c0005f11d54ca42dbaee77cb76a440e6fa2e0b64798d3f74c04770a0ad2b","build/probe.rs":"971fd2178dc506ccdc5c2065c37b77696a4aee8e00330ca52625db4a857f68d3","rust-toolchain.toml":"6bbb61302978c736b2da03e4fb40e3beab908f85d533ab46fd541e637b5f3e0f","src/detection.rs":"ed9a5f9a979ab01247d7a68eeb1afa3c13209334c5bfff0f9289cb07e5bb4e8b","src/extra.rs":"29f094473279a29b71c3cc9f5fa27c2e2c30c670390cf7e4b7cf451486cc857e","src/fallback.rs":"be1ce5e32c88c29d41d2ab663375951817d52decce3dc9e335ec22378be8fa65","src/lib.rs":"97ca48f50ad15fbcef42b31fb4fbfb8e4a1c5f946d776aa44fd04b37d7c64b32","src/location.rs":"9225c5a55f03b56cce42bc55ceb509e8216a5e0b24c94aa1cd071b04e3d6c15f","src/marker.rs":"c11c5a1be8bdf18be3fcd224393f350a9aae7ce282e19ce583c84910c6903a8f","src/parse.rs":"4b77cddbc2752bc4d38a65acd8b96b6786c5220d19b1e1b37810257b5d24132d","src/rcvec.rs":"1c3c48c4f819927cc445ae15ca3bb06775feff2fd1cb21901ae4c40c7e6b4e82","src/wrapper.rs":"e41df9abc846b40f0cf01150d22b91944d07cde93bc72aa34798101652675844","tests/comments.rs":"31115b3a56c83d93eef2fb4c9566bf4543e302560732986161b98aef504785ed","tests/features.rs":"a86deb8644992a4eb64d9fd493eff16f9cf9c5cb6ade3a634ce0c990cf87d559","tests/marker.rs":"473e962ee1aa0633dd5cf9a973b3bbd0ef43b740d4b7f6d008ff455a6b89d386","tests/test.rs":"2e7106f582367d168638be7364d4e9aadbe0affca8b51dd80f0b3977cc2fcf83","tests/test_fmt.rs":"b7743b612af65f2c88cbe109d50a093db7aa7e87f9e37bf45b7bbaeb240aa020","tests/test_size.rs":"62d8373ea46b669b87bc90a9c49b6d02f90ff4c21f9a25acebf60c9926e01fb7"},"package":"5e719e8df665df0d1c8fbfd238015744736151d4445ec0836b8e628aae103b77"}
-\ No newline at end of file
-+{"files":{},"package":"5e719e8df665df0d1c8fbfd238015744736151d4445ec0836b8e628aae103b77"}
-diff --git a/third_party/rust/proc-macro2/src/lib.rs b/third_party/rust/proc-macro2/src/lib.rs
-index 1430306bb31d..81f8c15a67e4 100644
---- a/third_party/rust/proc-macro2/src/lib.rs
-+++ b/third_party/rust/proc-macro2/src/lib.rs
-@@ -806,6 +806,8 @@ impl Debug for Group {
- /// `Punct` with different forms of `Spacing` returned.
- #[derive(Clone)]
- pub struct Punct {
-+    #[cfg(target_arch = "s390x")]
-+    foo: u64,
-     ch: char,
-     spacing: Spacing,
-     span: Span,
-@@ -834,6 +836,8 @@ impl Punct {
-     /// which can be further configured with the `set_span` method below.
-     pub fn new(ch: char, spacing: Spacing) -> Self {
-         Punct {
-+            #[cfg(target_arch = "s390x")]
-+            foo: 0xabcd,
-             ch,
-             spacing,
-             span: Span::call_site(),
--- 
-2.51.1
-

SOURCES/disable-pipewire.patch

@@ -0,0 +1,274 @@
+diff -up firefox-128.0/dom/media/webrtc/third_party_build/webrtc.mozbuild.disable-pipewire firefox-128.0/dom/media/webrtc/third_party_build/webrtc.mozbuild
+--- firefox-128.0/dom/media/webrtc/third_party_build/webrtc.mozbuild.disable-pipewire	2024-07-17 14:01:36.290603114 +0200
++++ firefox-128.0/dom/media/webrtc/third_party_build/webrtc.mozbuild	2024-07-17 14:52:02.039208338 +0200
+@@ -31,7 +31,7 @@ if CONFIG["MOZ_WEBRTC"]:
+                 and CONFIG["TARGET_CPU"].startswith("mips")
+             )
+         ):
+-            DEFINES["WEBRTC_USE_PIPEWIRE"] = True
++            DEFINES["WEBRTC_USE_PIPEWIRE"] = False
+     elif CONFIG["OS_TARGET"] == "Darwin":
+         DEFINES["WEBRTC_MAC"] = True
+     elif CONFIG["OS_TARGET"] == "WINNT":
+diff -up firefox-128.0/third_party/libwebrtc/modules/desktop_capture/desktop_capture_gn/moz.build.disable-pipewire firefox-128.0/third_party/libwebrtc/modules/desktop_capture/desktop_capture_gn/moz.build
+--- firefox-128.0/third_party/libwebrtc/modules/desktop_capture/desktop_capture_gn/moz.build.disable-pipewire	2024-07-17 14:01:36.291603109 +0200
++++ firefox-128.0/third_party/libwebrtc/modules/desktop_capture/desktop_capture_gn/moz.build	2024-07-17 14:56:35.419826494 +0200
+@@ -241,102 +241,6 @@ if CONFIG["TARGET_CPU"] == "aarch64":
+     DEFINES["WEBRTC_ARCH_ARM64"] = True
+     DEFINES["WEBRTC_HAS_NEON"] = True
+ 
+-if CONFIG["TARGET_CPU"] == "arm":
+-
+-    CXXFLAGS += [
+-        "-mfpu=neon"
+-    ]
+-
+-    DEFINES["WEBRTC_ARCH_ARM"] = True
+-    DEFINES["WEBRTC_ARCH_ARM_V7"] = True
+-    DEFINES["WEBRTC_HAS_NEON"] = True
+-    DEFINES["WEBRTC_USE_PIPEWIRE"] = True
+-    DEFINES["_GNU_SOURCE"] = True
+-
+-    LOCAL_INCLUDES += [
+-        "/gfx/angle/checkout/include/",
+-        "/third_party/drm/drm/",
+-        "/third_party/drm/drm/include/",
+-        "/third_party/drm/drm/include/libdrm/",
+-        "/third_party/gbm/gbm/",
+-        "/third_party/libepoxy/libepoxy/include/",
+-        "/third_party/pipewire/"
+-    ]
+-
+-    SOURCES += [
+-        "/third_party/libwebrtc/modules/desktop_capture/linux/wayland/base_capturer_pipewire.cc"
+-    ]
+-
+-    UNIFIED_SOURCES += [
+-        "/third_party/libwebrtc/modules/desktop_capture/linux/wayland/egl_dmabuf.cc",
+-        "/third_party/libwebrtc/modules/desktop_capture/linux/wayland/mouse_cursor_monitor_pipewire.cc",
+-        "/third_party/libwebrtc/modules/desktop_capture/linux/wayland/restore_token_manager.cc",
+-        "/third_party/libwebrtc/modules/desktop_capture/linux/wayland/screen_capture_portal_interface.cc",
+-        "/third_party/libwebrtc/modules/desktop_capture/linux/wayland/screencast_portal.cc",
+-        "/third_party/libwebrtc/modules/desktop_capture/linux/wayland/screencast_stream_utils.cc",
+-        "/third_party/libwebrtc/modules/desktop_capture/linux/wayland/shared_screencast_stream.cc"
+-    ]
+-
+-if CONFIG["TARGET_CPU"] == "mips32":
+-
+-    DEFINES["MIPS32_LE"] = True
+-    DEFINES["MIPS_FPU_LE"] = True
+-    DEFINES["WEBRTC_USE_PIPEWIRE"] = True
+-    DEFINES["_GNU_SOURCE"] = True
+-
+-    LOCAL_INCLUDES += [
+-        "/gfx/angle/checkout/include/",
+-        "/third_party/drm/drm/",
+-        "/third_party/drm/drm/include/",
+-        "/third_party/drm/drm/include/libdrm/",
+-        "/third_party/gbm/gbm/",
+-        "/third_party/libepoxy/libepoxy/include/",
+-        "/third_party/pipewire/"
+-    ]
+-
+-    SOURCES += [
+-        "/third_party/libwebrtc/modules/desktop_capture/linux/wayland/base_capturer_pipewire.cc"
+-    ]
+-
+-    UNIFIED_SOURCES += [
+-        "/third_party/libwebrtc/modules/desktop_capture/linux/wayland/egl_dmabuf.cc",
+-        "/third_party/libwebrtc/modules/desktop_capture/linux/wayland/mouse_cursor_monitor_pipewire.cc",
+-        "/third_party/libwebrtc/modules/desktop_capture/linux/wayland/restore_token_manager.cc",
+-        "/third_party/libwebrtc/modules/desktop_capture/linux/wayland/screen_capture_portal_interface.cc",
+-        "/third_party/libwebrtc/modules/desktop_capture/linux/wayland/screencast_portal.cc",
+-        "/third_party/libwebrtc/modules/desktop_capture/linux/wayland/screencast_stream_utils.cc",
+-        "/third_party/libwebrtc/modules/desktop_capture/linux/wayland/shared_screencast_stream.cc"
+-    ]
+-
+-if CONFIG["TARGET_CPU"] == "mips64":
+-
+-    DEFINES["WEBRTC_USE_PIPEWIRE"] = True
+-    DEFINES["_GNU_SOURCE"] = True
+-
+-    LOCAL_INCLUDES += [
+-        "/gfx/angle/checkout/include/",
+-        "/third_party/drm/drm/",
+-        "/third_party/drm/drm/include/",
+-        "/third_party/drm/drm/include/libdrm/",
+-        "/third_party/gbm/gbm/",
+-        "/third_party/libepoxy/libepoxy/include/",
+-        "/third_party/pipewire/"
+-    ]
+-
+-    SOURCES += [
+-        "/third_party/libwebrtc/modules/desktop_capture/linux/wayland/base_capturer_pipewire.cc"
+-    ]
+-
+-    UNIFIED_SOURCES += [
+-        "/third_party/libwebrtc/modules/desktop_capture/linux/wayland/egl_dmabuf.cc",
+-        "/third_party/libwebrtc/modules/desktop_capture/linux/wayland/mouse_cursor_monitor_pipewire.cc",
+-        "/third_party/libwebrtc/modules/desktop_capture/linux/wayland/restore_token_manager.cc",
+-        "/third_party/libwebrtc/modules/desktop_capture/linux/wayland/screen_capture_portal_interface.cc",
+-        "/third_party/libwebrtc/modules/desktop_capture/linux/wayland/screencast_portal.cc",
+-        "/third_party/libwebrtc/modules/desktop_capture/linux/wayland/screencast_stream_utils.cc",
+-        "/third_party/libwebrtc/modules/desktop_capture/linux/wayland/shared_screencast_stream.cc"
+-    ]
+-
+ if CONFIG["TARGET_CPU"] == "ppc64":
+ 
+     DEFINES["USE_X11"] = "1"
+@@ -389,35 +293,6 @@ if CONFIG["MOZ_DEBUG"] == "1" and CONFIG
+ 
+     DEFINES["_HAS_ITERATOR_DEBUGGING"] = "0"
+ 
+-if CONFIG["OS_TARGET"] == "Linux" and CONFIG["TARGET_CPU"] == "aarch64":
+-
+-    DEFINES["WEBRTC_USE_PIPEWIRE"] = True
+-    DEFINES["_GNU_SOURCE"] = True
+-
+-    LOCAL_INCLUDES += [
+-        "/gfx/angle/checkout/include/",
+-        "/third_party/drm/drm/",
+-        "/third_party/drm/drm/include/",
+-        "/third_party/drm/drm/include/libdrm/",
+-        "/third_party/gbm/gbm/",
+-        "/third_party/libepoxy/libepoxy/include/",
+-        "/third_party/pipewire/"
+-    ]
+-
+-    SOURCES += [
+-        "/third_party/libwebrtc/modules/desktop_capture/linux/wayland/base_capturer_pipewire.cc"
+-    ]
+-
+-    UNIFIED_SOURCES += [
+-        "/third_party/libwebrtc/modules/desktop_capture/linux/wayland/egl_dmabuf.cc",
+-        "/third_party/libwebrtc/modules/desktop_capture/linux/wayland/mouse_cursor_monitor_pipewire.cc",
+-        "/third_party/libwebrtc/modules/desktop_capture/linux/wayland/restore_token_manager.cc",
+-        "/third_party/libwebrtc/modules/desktop_capture/linux/wayland/screen_capture_portal_interface.cc",
+-        "/third_party/libwebrtc/modules/desktop_capture/linux/wayland/screencast_portal.cc",
+-        "/third_party/libwebrtc/modules/desktop_capture/linux/wayland/screencast_stream_utils.cc",
+-        "/third_party/libwebrtc/modules/desktop_capture/linux/wayland/shared_screencast_stream.cc"
+-    ]
+-
+ if CONFIG["OS_TARGET"] == "Linux" and CONFIG["TARGET_CPU"] == "riscv64":
+ 
+     DEFINES["USE_X11"] = "1"
+@@ -446,95 +321,6 @@ if CONFIG["OS_TARGET"] == "Linux" and CO
+         "/third_party/libwebrtc/modules/desktop_capture/linux/x11/x_window_property.cc"
+     ]
+ 
+-if CONFIG["OS_TARGET"] == "Linux" and CONFIG["TARGET_CPU"] == "x86":
+-
+-    CXXFLAGS += [
+-        "-msse2"
+-    ]
+-
+-    DEFINES["WEBRTC_USE_PIPEWIRE"] = True
+-    DEFINES["_GNU_SOURCE"] = True
+-
+-    LOCAL_INCLUDES += [
+-        "/gfx/angle/checkout/include/",
+-        "/third_party/drm/drm/",
+-        "/third_party/drm/drm/include/",
+-        "/third_party/drm/drm/include/libdrm/",
+-        "/third_party/gbm/gbm/",
+-        "/third_party/libepoxy/libepoxy/include/",
+-        "/third_party/pipewire/"
+-    ]
+-
+-    SOURCES += [
+-        "/third_party/libwebrtc/modules/desktop_capture/linux/wayland/base_capturer_pipewire.cc"
+-    ]
+-
+-    UNIFIED_SOURCES += [
+-        "/third_party/libwebrtc/modules/desktop_capture/linux/wayland/egl_dmabuf.cc",
+-        "/third_party/libwebrtc/modules/desktop_capture/linux/wayland/mouse_cursor_monitor_pipewire.cc",
+-        "/third_party/libwebrtc/modules/desktop_capture/linux/wayland/restore_token_manager.cc",
+-        "/third_party/libwebrtc/modules/desktop_capture/linux/wayland/screen_capture_portal_interface.cc",
+-        "/third_party/libwebrtc/modules/desktop_capture/linux/wayland/screencast_portal.cc",
+-        "/third_party/libwebrtc/modules/desktop_capture/linux/wayland/screencast_stream_utils.cc",
+-        "/third_party/libwebrtc/modules/desktop_capture/linux/wayland/shared_screencast_stream.cc"
+-    ]
+-
+-if CONFIG["OS_TARGET"] == "Linux" and CONFIG["TARGET_CPU"] == "x86_64":
+-
+-    DEFINES["WEBRTC_USE_PIPEWIRE"] = True
+-    DEFINES["_GNU_SOURCE"] = True
+-
+-    LOCAL_INCLUDES += [
+-        "/gfx/angle/checkout/include/",
+-        "/third_party/drm/drm/",
+-        "/third_party/drm/drm/include/",
+-        "/third_party/drm/drm/include/libdrm/",
+-        "/third_party/gbm/gbm/",
+-        "/third_party/libepoxy/libepoxy/include/",
+-        "/third_party/pipewire/"
+-    ]
+-
+-    SOURCES += [
+-        "/third_party/libwebrtc/modules/desktop_capture/linux/wayland/base_capturer_pipewire.cc"
+-    ]
+-
+-    UNIFIED_SOURCES += [
+-        "/third_party/libwebrtc/modules/desktop_capture/linux/wayland/egl_dmabuf.cc",
+-        "/third_party/libwebrtc/modules/desktop_capture/linux/wayland/mouse_cursor_monitor_pipewire.cc",
+-        "/third_party/libwebrtc/modules/desktop_capture/linux/wayland/restore_token_manager.cc",
+-        "/third_party/libwebrtc/modules/desktop_capture/linux/wayland/screen_capture_portal_interface.cc",
+-        "/third_party/libwebrtc/modules/desktop_capture/linux/wayland/screencast_portal.cc",
+-        "/third_party/libwebrtc/modules/desktop_capture/linux/wayland/screencast_stream_utils.cc",
+-        "/third_party/libwebrtc/modules/desktop_capture/linux/wayland/shared_screencast_stream.cc"
+-    ]
+-
+-if CONFIG["MOZ_X11"] == "1" and CONFIG["OS_TARGET"] == "Linux" and CONFIG["TARGET_CPU"] == "aarch64":
+-
+-    DEFINES["USE_X11"] = "1"
+-    DEFINES["WEBRTC_USE_X11"] = True
+-
+-    OS_LIBS += [
+-        "X11",
+-        "Xcomposite",
+-        "Xdamage",
+-        "Xext",
+-        "Xfixes",
+-        "Xrandr",
+-        "Xrender"
+-    ]
+-
+-    UNIFIED_SOURCES += [
+-        "/third_party/libwebrtc/modules/desktop_capture/linux/x11/mouse_cursor_monitor_x11.cc",
+-        "/third_party/libwebrtc/modules/desktop_capture/linux/x11/screen_capturer_x11.cc",
+-        "/third_party/libwebrtc/modules/desktop_capture/linux/x11/shared_x_display.cc",
+-        "/third_party/libwebrtc/modules/desktop_capture/linux/x11/window_capturer_x11.cc",
+-        "/third_party/libwebrtc/modules/desktop_capture/linux/x11/window_finder_x11.cc",
+-        "/third_party/libwebrtc/modules/desktop_capture/linux/x11/window_list_utils.cc",
+-        "/third_party/libwebrtc/modules/desktop_capture/linux/x11/x_atom_cache.cc",
+-        "/third_party/libwebrtc/modules/desktop_capture/linux/x11/x_error_trap.cc",
+-        "/third_party/libwebrtc/modules/desktop_capture/linux/x11/x_server_pixel_buffer.cc",
+-        "/third_party/libwebrtc/modules/desktop_capture/linux/x11/x_window_property.cc"
+-    ]
+ 
+ if CONFIG["MOZ_X11"] == "1" and CONFIG["OS_TARGET"] == "Linux" and CONFIG["TARGET_CPU"] == "arm":
+ 
+diff -up firefox-128.0/third_party/libwebrtc/modules/portal/portal_gn/moz.build.disable-pipewire firefox-128.0/third_party/libwebrtc/modules/portal/portal_gn/moz.build
+--- firefox-128.0/third_party/libwebrtc/modules/portal/portal_gn/moz.build.disable-pipewire	2024-07-04 18:20:41.000000000 +0200
++++ firefox-128.0/third_party/libwebrtc/modules/portal/portal_gn/moz.build	2024-07-17 14:01:36.291603109 +0200
+@@ -27,7 +27,7 @@ DEFINES["WEBRTC_MOZILLA_BUILD"] = True
+ DEFINES["WEBRTC_NON_STATIC_TRACE_EVENT_HANDLERS"] = "0"
+ DEFINES["WEBRTC_POSIX"] = True
+ DEFINES["WEBRTC_STRICT_FIELD_TRIALS"] = "0"
+-DEFINES["WEBRTC_USE_PIPEWIRE"] = True
++DEFINES["WEBRTC_USE_PIPEWIRE"] = False
+ DEFINES["_FILE_OFFSET_BITS"] = "64"
+ DEFINES["_GNU_SOURCE"] = True
+ DEFINES["_LARGEFILE64_SOURCE"] = True
+diff -up firefox-128.0/third_party/libwebrtc/third_party/pipewire/pipewire_gn/moz.build.disable-pipewire firefox-128.0/third_party/libwebrtc/third_party/pipewire/pipewire_gn/moz.build
+--- firefox-128.0/third_party/libwebrtc/third_party/pipewire/pipewire_gn/moz.build.disable-pipewire	2024-07-04 18:20:41.000000000 +0200
++++ firefox-128.0/third_party/libwebrtc/third_party/pipewire/pipewire_gn/moz.build	2024-07-17 14:01:36.291603109 +0200
+@@ -25,7 +25,7 @@ DEFINES["WEBRTC_MOZILLA_BUILD"] = True
+ DEFINES["WEBRTC_NON_STATIC_TRACE_EVENT_HANDLERS"] = "0"
+ DEFINES["WEBRTC_POSIX"] = True
+ DEFINES["WEBRTC_STRICT_FIELD_TRIALS"] = "0"
+-DEFINES["WEBRTC_USE_PIPEWIRE"] = True
++DEFINES["WEBRTC_USE_PIPEWIRE"] = False
+ DEFINES["_FILE_OFFSET_BITS"] = "64"
+ DEFINES["_GNU_SOURCE"] = True
+ DEFINES["_LARGEFILE64_SOURCE"] = True

SOURCES/distribution.ini

@@ -0,0 +1,9 @@
+[Global]
+id=almalinux
+version=1.0
+about=Mozilla Firefox for AlmaLinux
+
+[Preferences]
+app.distributor=almalinux
+app.distributor.channel=almalinux
+app.partner.fedora=almalinux

SOURCES/exceptionHandled-for-IO-error-processhandler.patch

@@ -1,29 +0,0 @@
-diff -up firefox-140.1.0/testing/mozbase/mozprocess/mozprocess/processhandler.py.exceptionHandled-for-IO-error-processhandler firefox-140.1.0/testing/mozbase/mozprocess/mozprocess/processhandler.py
---- firefox-140.1.0/testing/mozbase/mozprocess/mozprocess/processhandler.py.exceptionHandled-for-IO-error-processhandler	2025-07-14 19:14:55.000000000 +0200
-+++ firefox-140.1.0/testing/mozbase/mozprocess/mozprocess/processhandler.py	2025-08-05 18:05:54.329479764 +0200
-@@ -1098,11 +1098,22 @@ class ProcessReader:
- 
-     def _read_stream(self, stream, queue, callback):
-         sentinel = "" if isinstance(stream, io.TextIOBase) else b""
--        for line in iter(stream.readline, sentinel):
--            queue.put((line, callback))
-+        try:
-+            for line in iter(stream.readline, sentinel):
-+                queue.put((line, callback))
-+        except ValueError as e:
-+            if "I/O operation on closed file" in str(e):
-+                # Stream was closed by the process, this is normal
-+                pass
-+            else:
-+                raise
-         # Give a chance to the reading loop to exit without a timeout.
-         queue.put((b"", None))
--        stream.close()
-+        try:
-+            stream.close()
-+        except ValueError:
-+            # Stream might already be closed
-+            pass
- 
-     def start(self, proc):
-         queue = Queue()

SOURCES/firefox-adapt-ml-dsa-support-to-rhel-nss.patch

@@ -1,59 +0,0 @@
-diff --git a/security/nss/lib/mozpkix/lib/pkixnss.cpp b/security/nss/lib/mozpkix/lib/pkixnss.cpp
-index 31aa1ddd67..93ab402bfd 100644
---- a/security/nss/lib/mozpkix/lib/pkixnss.cpp
-+++ b/security/nss/lib/mozpkix/lib/pkixnss.cpp
-@@ -303,6 +303,28 @@ DigestBufNSS(Input item,
-   return Success;
- }
- 
-+static SECOidTag
-+findOIDByName(const char *cipherString)
-+{
-+  SECOidTag tag;
-+  SECOidData *oid;
-+
-+  for (int i = 1; ; i++) {
-+    SECOidTag tag = static_cast<SECOidTag>(i);
-+    oid = SECOID_FindOIDByTag(tag);
-+
-+    if (oid == NULL) {
-+      break;
-+    }
-+
-+    if (strcasecmp(oid->desc, cipherString) == 0) {
-+      return tag;
-+    }
-+  }
-+
-+  return SEC_OID_UNKNOWN;
-+}
-+
- Result
- VerifyMLDSASignedDataNSS(Input data,
-                          Input signature,
-@@ -323,17 +345,14 @@ VerifyMLDSASignedDataNSS(Input data,
-   SECItem dataItem(UnsafeMapInputToSECItem(data));
-   CK_MECHANISM_TYPE mechanism;
- 
--  switch (pubk->u.mldsa.paramSet) {
--    case SEC_OID_ML_DSA_44:
--    case SEC_OID_ML_DSA_65:
--    case SEC_OID_ML_DSA_87:
--      mechanism = CKM_ML_DSA;
--      signaturePolicyTag = pubk->u.mldsa.paramSet;
--      hashPolicyTag = SEC_OID_UNKNOWN;
--      break;
--    default:
--      return Result::ERROR_UNSUPPORTED_KEYALG;
--      break;
-+  if (pubk->u.mldsa.params == findOIDByName("ML-DSA-44") ||
-+      pubk->u.mldsa.params == findOIDByName("ML-DSA-65") ||
-+      pubk->u.mldsa.params == findOIDByName("ML-DSA-87")) {
-+    hashPolicyTag = SEC_OID_UNKNOWN;
-+    mechanism = CKM_ML_DSA;
-+    signaturePolicyTag = pubk->u.mldsa.params;
-+  } else {
-+    return Result::ERROR_UNSUPPORTED_KEYALG;
-   }
- 
-   SECOidTag policyTags[2] = {signaturePolicyTag, hashPolicyTag};

SOURCES/firefox-add-ml-dsa-certificate-support-to-certviewer.patch

@@ -1,323 +0,0 @@
-diff --git a/toolkit/components/certviewer/content/certDecoder.mjs b/toolkit/components/certviewer/content/certDecoder.mjs
---- a/toolkit/components/certviewer/content/certDecoder.mjs
-+++ b/toolkit/components/certviewer/content/certDecoder.mjs
-@@ -5,10 +5,11 @@
- import {
-   Certificate,
-   ECNamedCurves,
-   ECPublicKey,
-   RSAPublicKey,
-+  MLDSAPublicKey,
- } from "./vendor/pkijs.js";
- 
- const getTimeZone = () => {
-   let timeZone = new Date().toString().match(/\(([A-Za-z\s].*)\)/);
-   if (timeZone === null) {
-@@ -45,10 +46,19 @@
-       x, // x coordinate
-       y, // y coordinate
-       xy: `04:${x}:${y}`, // 04 (uncompressed) public key
-     };
-   }
-+  if (publicKey instanceof MLDSAPublicKey) {
-+    let keyHex = publicKey.rhoT1.valueBlock.valueHex;
-+    let keyBytes = new Uint8Array(keyHex);
-+    return {
-+      kty: publicKey.alg,
-+      keysize: keyBytes.length,
-+      rhoT1: hashify(keyHex),
-+    };
-+  }
-   return { kty: "Unknown" };
- };
- 
- const getX509Ext = (extensions, v) => {
-   for (var extension in extensions) {
-@@ -1132,10 +1142,13 @@
-     "2.16.840.1.101.3.4.3.2": "DSA with SHA-256",
-     "1.2.840.10045.4.1": "ECDSA with SHA-1",
-     "1.2.840.10045.4.3.2": "ECDSA with SHA-256",
-     "1.2.840.10045.4.3.3": "ECDSA with SHA-384",
-     "1.2.840.10045.4.3.4": "ECDSA with SHA-512",
-+    "2.16.840.1.101.3.4.3.17": "ML-DSA-44",
-+    "2.16.840.1.101.3.4.3.18": "ML-DSA-65",
-+    "2.16.840.1.101.3.4.3.19": "ML-DSA-87",
-   },
- 
-   aia: {
-     "1.3.6.1.5.5.7.48.1": "Online Certificate Status Protocol (OCSP)",
-     "1.3.6.1.5.5.7.48.2": "CA Issuers",
-diff --git a/toolkit/components/certviewer/content/certviewer.mjs b/toolkit/components/certviewer/content/certviewer.mjs
---- a/toolkit/components/certviewer/content/certviewer.mjs
-+++ b/toolkit/components/certviewer/content/certviewer.mjs
-@@ -74,10 +74,23 @@
-     }
-   }
-   return result ? result : false;
- };
- 
-+const getMLDSASecurityLevel = signatureName => {
-+  switch (signatureName) {
-+    case "ML-DSA-44":
-+      return "Level 2 (NIST)";
-+    case "ML-DSA-65":
-+      return "Level 3 (NIST)";
-+    case "ML-DSA-87":
-+      return "Level 5 (NIST)";
-+    default:
-+      return null;
-+  }
-+};
-+
- export const adjustCertInformation = cert => {
-   let certItems = [];
-   let tabName = cert?.subject?.cn || "";
-   if (cert && !tabName) {
-     // No common name, use the value of the last item in the cert's entries.
-@@ -173,10 +186,15 @@
-           createEntryItem("key-size", cert.subjectPublicKeyInfo.keysize),
-           createEntryItem("curve", cert.subjectPublicKeyInfo.crv),
-           createEntryItem("public-value", cert.subjectPublicKeyInfo.xy, true),
-           createEntryItem("exponent", cert.subjectPublicKeyInfo.e),
-           createEntryItem("modulus", cert.subjectPublicKeyInfo.n, true),
-+          createEntryItem(
-+            "mldsa-public-value",
-+            cert.subjectPublicKeyInfo.rhoT1,
-+            true
-+          ),
-         ].filter(elem => elem != null);
-       }
-       return items;
-     },
-     certItems,
-@@ -190,14 +208,23 @@
-         createEntryItem("serial-number", cert.serialNumber, true),
-         createEntryItem(
-           "signature-algorithm",
-           cert.signature ? cert.signature.name : null
-         ),
-+      ];
-+
-+      const secLvl = getMLDSASecurityLevel(cert.signature?.name);
-+      if (secLvl) {
-+        items.push(createEntryItem("security-level", secLvl));
-+      }
-+
-+      items.push(
-         createEntryItem("version", cert.version),
--        createEntryItem("download", cert.files ? cert.files.pem : null),
--      ].filter(elem => elem != null);
--      return items;
-+        createEntryItem("download", cert.files ? cert.files.pem : null)
-+      );
-+
-+      return items.filter(elem => elem != null);
-     },
-     certItems,
-     "miscellaneous",
-     false
-   );
-diff --git a/toolkit/components/certviewer/content/vendor/pkijs.js b/toolkit/components/certviewer/content/vendor/pkijs.js
---- a/toolkit/components/certviewer/content/vendor/pkijs.js
-+++ b/toolkit/components/certviewer/content/vendor/pkijs.js
-@@ -8609,10 +8609,90 @@
-         this.publicExponent = new Integer({ valueHex: stringToArrayBuffer(fromBase64(json.e, true)).slice(0, 3) });
-     }
- }
- RSAPublicKey.CLASS_NAME = "RSAPublicKey";
- 
-+/* @see https://www.ietf.org/archive/id/draft-ietf-lamps-dilithium-certificates-11.html */
-+const RHO_T1 = "rhoT1";
-+const ALG = "alg";
-+const CLEAR_PROPS_MLDSA = [RHO_T1, ALG];
-+const MLDSA_MIN_LENGTH = 32;
-+class MLDSAPublicKey extends PkiObject {
-+    constructor(parameters = {}) {
-+        super();
-+
-+        this.rhoT1 = getParametersValue(parameters, RHO_T1, MLDSAPublicKey.defaultValues(RHO_T1));
-+        this.alg = getParametersValue(parameters, ALG, MLDSAPublicKey.defaultValues(ALG));
-+
-+        if (parameters.json) {
-+            this.fromJSON(parameters.json);
-+        }
-+
-+        if (parameters.schema) {
-+            this.fromSchema(parameters.schema);
-+        }
-+    }
-+
-+    static defaultValues(memberName) {
-+        switch (memberName) {
-+            case RHO_T1:
-+                return new BitString();
-+            case ALG:
-+                return "";
-+            default:
-+                return super.defaultValues(memberName);
-+        }
-+    }
-+
-+    static schema(parameters = {}) {
-+        const names = getParametersValue(parameters, "names", {});
-+        return new BitString({ name: names.rhoT1 || RHO_T1 });
-+    }
-+
-+    fromSchema(schema) {
-+        clearProps(schema, CLEAR_PROPS_MLDSA);
-+
-+        const asn1 = compareSchema(schema, schema, MLDSAPublicKey.schema({
-+            names: { rhoT1: RHO_T1 }
-+        }));
-+
-+        AsnError.assertSchema(asn1, this.className);
-+
-+        const bitString = asn1.result.rhoT1;
-+        const length = bitString.valueBlock.valueHexView.length;
-+
-+        if (length < MLDSA_MIN_LENGTH || (length - MLDSA_MIN_LENGTH) % 320 !== 0) {
-+            throw new Error(`Invalid ML-DSA key length: ${length} bytes`);
-+        }
-+
-+        this.rhoT1 = bitString;
-+    }
-+
-+    toSchema() {
-+        return this.rhoT1;
-+    }
-+
-+    toJSON() {
-+        return {
-+            rhoT1: Convert.ToBase64Url(this.rhoT1.valueBlock.valueHexView),
-+            alg: this.alg
-+        };
-+    }
-+
-+    fromJSON(json) {
-+        ParameterError.assert("json", json, "rhoT1");
-+        const rawBuffer = stringToArrayBuffer(fromBase64(json.rhoT1, true));
-+
-+        if (rawBuffer.byteLength < MLDSA_MIN_LENGTH || (rawBuffer.byteLength - MLDSA_MIN_LENGTH) % 320 !== 0) {
-+            throw new Error(`Invalid ML-DSA key length: ${rawBuffer.byteLength} bytes`);
-+        }
-+
-+        this.rhoT1 = new BitString({ valueHex: rawBuffer });
-+    }
-+}
-+MLDSAPublicKey.CLASS_NAME = "MLDSAPublicKey";
-+
- const ALGORITHM$1 = "algorithm";
- const SUBJECT_PUBLIC_KEY = "subjectPublicKey";
- const CLEAR_PROPS$1a = [ALGORITHM$1, SUBJECT_PUBLIC_KEY];
- class PublicKeyInfo extends PkiObject {
-     constructor(parameters = {}) {
-@@ -8657,10 +8737,22 @@
-                             catch (ex) {
-                             }
-                         }
-                     }
-                     break;
-+                case "2.16.840.1.101.3.4.3.17":
-+                    /* Already a bitstring */
-+                    this._parsedKey = new MLDSAPublicKey({ rhoT1: this.subjectPublicKey, alg: "ML-DSA-44" });
-+                    break;
-+                case "2.16.840.1.101.3.4.3.18":
-+                    /* Already a bitstring */
-+                    this._parsedKey = new MLDSAPublicKey({ rhoT1: this.subjectPublicKey, alg: "ML-DSA-65" });
-+                    break;
-+                case "2.16.840.1.101.3.4.3.19":
-+                    /* Already a bitstring */
-+                    this._parsedKey = new MLDSAPublicKey({ rhoT1: this.subjectPublicKey, alg: "ML-DSA-87" });
-+                    break;
-             }
-             this._parsedKey || (this._parsedKey = null);
-         }
-         return this._parsedKey || undefined;
-     }
-@@ -8724,10 +8816,19 @@
-                 jwk.kty = "EC";
-                 break;
-             case "1.2.840.113549.1.1.1":
-                 jwk.kty = "RSA";
-                 break;
-+            case "2.16.840.1.101.3.4.3.17":
-+                jwk.kty = "ML-DSA-44";
-+                break;
-+            case "2.16.840.1.101.3.4.3.18":
-+                jwk.kty = "ML-DSA-65";
-+                break;
-+            case "2.16.840.1.101.3.4.3.19":
-+                jwk.kty = "ML-DSA-87";
-+                break;
-         }
-         const publicKeyJWK = this.parsedKey.toJSON();
-         Object.assign(jwk, publicKeyJWK);
-         return jwk;
-     }
-@@ -8746,10 +8847,31 @@
-                     this.algorithm = new AlgorithmIdentifier({
-                         algorithmId: "1.2.840.113549.1.1.1",
-                         algorithmParams: new Null()
-                     });
-                     break;
-+                case "ML-DSA-44":
-+                    this.parsedKey = new MLDSAPublicKey({ json });
-+                    this.algorithm = new AlgorithmIdentifier({
-+                        algorithmId: "2.16.840.1.101.3.4.3.17",
-+                        algorithmParams: new Null()
-+                    });
-+                    break;
-+                case "ML-DSA-65":
-+                    this.parsedKey = new MLDSAPublicKey({ json });
-+                    this.algorithm = new AlgorithmIdentifier({
-+                        algorithmId: "2.16.840.1.101.3.4.3.18",
-+                        algorithmParams: new Null()
-+                    });
-+                    break;
-+                case "ML-DSA-87":
-+                    this.parsedKey = new MLDSAPublicKey({ json });
-+                    this.algorithm = new AlgorithmIdentifier({
-+                        algorithmId: "2.16.840.1.101.3.4.3.19",
-+                        algorithmParams: new Null()
-+                    });
-+                    break;
-                 default:
-                     throw new Error(`Invalid value for "kty" parameter: ${json.kty}`);
-             }
-             this.subjectPublicKey = new BitString({ valueHex: this.parsedKey.toSchema().toBER(false) });
-         }
-@@ -24078,6 +24200,6 @@
-     }
- }
- 
- initCryptoEngine();
- 
--export { AbstractCryptoEngine, AccessDescription, Accuracy, AlgorithmIdentifier, AltName, ArgumentError, AsnError, AttCertValidityPeriod, Attribute, AttributeCertificateInfoV1, AttributeCertificateInfoV2, AttributeCertificateV1, AttributeCertificateV2, AttributeTypeAndValue, AuthenticatedSafe, AuthorityKeyIdentifier, BasicConstraints, BasicOCSPResponse, CAVersion, CRLBag, CRLDistributionPoints, CertBag, CertID, Certificate, CertificateChainValidationEngine, CertificatePolicies, CertificateRevocationList, CertificateSet, CertificateTemplate, CertificationRequest, ChainValidationCode, ChainValidationError, ContentInfo, CryptoEngine, DigestInfo, DistributionPoint, ECCCMSSharedInfo, ECNamedCurves, ECPrivateKey, ECPublicKey, EncapsulatedContentInfo, EncryptedContentInfo, EncryptedData, EnvelopedData, ExtKeyUsage, Extension, ExtensionValueFactory, Extensions, GeneralName, GeneralNames, GeneralSubtree, HASHED_MESSAGE, HASH_ALGORITHM, Holder, InfoAccess, IssuerAndSerialNumber, IssuerSerial, IssuingDistributionPoint, KEKIdentifier, KEKRecipientInfo, KeyAgreeRecipientIdentifier, KeyAgreeRecipientInfo, KeyBag, KeyTransRecipientInfo, MICROS, MILLIS, MacData, MessageImprint, NameConstraints, OCSPRequest, OCSPResponse, ObjectDigestInfo, OriginatorIdentifierOrKey, OriginatorInfo, OriginatorPublicKey, OtherCertificateFormat, OtherKeyAttribute, OtherPrimeInfo, OtherRecipientInfo, OtherRevocationInfoFormat, PBES2Params, PBKDF2Params, PFX, PKCS8ShroudedKeyBag, PKIStatus, PKIStatusInfo, POLICY_IDENTIFIER, POLICY_QUALIFIERS, ParameterError, PasswordRecipientinfo, PkiObject, PolicyConstraints, PolicyInformation, PolicyMapping, PolicyMappings, PolicyQualifierInfo, PrivateKeyInfo, PrivateKeyUsagePeriod, PublicKeyInfo, QCStatement, QCStatements, RDN, RSAESOAEPParams, RSAPrivateKey, RSAPublicKey, RSASSAPSSParams, RecipientEncryptedKey, RecipientEncryptedKeys, RecipientIdentifier, RecipientInfo, RecipientKeyIdentifier, RelativeDistinguishedNames, Request, ResponseBytes, ResponseData, RevocationInfoChoices, RevokedCertificate, SECONDS, SafeBag, SafeBagValueFactory, SafeContents, SecretBag, Signature, SignedAndUnsignedAttributes, SignedCertificateTimestamp, SignedCertificateTimestampList, SignedData, SignedDataVerifyError, SignerInfo, SingleResponse, SubjectDirectoryAttributes, TBSRequest, TSTInfo, TYPE$4 as TYPE, TYPE_AND_VALUES, Time, TimeStampReq, TimeStampResp, TimeType, V2Form, VALUE$5 as VALUE, VALUE_BEFORE_DECODE, checkCA, createCMSECDSASignature, createECDSASignatureFromCMS, engine, getAlgorithmByOID, getAlgorithmParameters, getCrypto, getEngine, getHashAlgorithm, getOIDByAlgorithm, getRandomValues, id_AnyPolicy, id_AuthorityInfoAccess, id_AuthorityKeyIdentifier, id_BaseCRLNumber, id_BasicConstraints, id_CRLBag_X509CRL, id_CRLDistributionPoints, id_CRLNumber, id_CRLReason, id_CertBag_AttributeCertificate, id_CertBag_SDSICertificate, id_CertBag_X509Certificate, id_CertificateIssuer, id_CertificatePolicies, id_ContentType_Data, id_ContentType_EncryptedData, id_ContentType_EnvelopedData, id_ContentType_SignedData, id_ExtKeyUsage, id_FreshestCRL, id_InhibitAnyPolicy, id_InvalidityDate, id_IssuerAltName, id_IssuingDistributionPoint, id_KeyUsage, id_MicrosoftAppPolicies, id_MicrosoftCaVersion, id_MicrosoftCertTemplateV1, id_MicrosoftCertTemplateV2, id_MicrosoftPrevCaCertHash, id_NameConstraints, id_PKIX_OCSP_Basic, id_PolicyConstraints, id_PolicyMappings, id_PrivateKeyUsagePeriod, id_QCStatements, id_SignedCertificateTimestampList, id_SubjectAltName, id_SubjectDirectoryAttributes, id_SubjectInfoAccess, id_SubjectKeyIdentifier, id_ad, id_ad_caIssuers, id_ad_ocsp, id_eContentType_TSTInfo, id_pkix, id_sha1, id_sha256, id_sha384, id_sha512, kdf, setEngine, stringPrep, verifySCTsForCertificate };
-+export { AbstractCryptoEngine, AccessDescription, Accuracy, AlgorithmIdentifier, AltName, ArgumentError, AsnError, AttCertValidityPeriod, Attribute, AttributeCertificateInfoV1, AttributeCertificateInfoV2, AttributeCertificateV1, AttributeCertificateV2, AttributeTypeAndValue, AuthenticatedSafe, AuthorityKeyIdentifier, BasicConstraints, BasicOCSPResponse, CAVersion, CRLBag, CRLDistributionPoints, CertBag, CertID, Certificate, CertificateChainValidationEngine, CertificatePolicies, CertificateRevocationList, CertificateSet, CertificateTemplate, CertificationRequest, ChainValidationCode, ChainValidationError, ContentInfo, CryptoEngine, DigestInfo, DistributionPoint, ECCCMSSharedInfo, ECNamedCurves, ECPrivateKey, ECPublicKey, EncapsulatedContentInfo, EncryptedContentInfo, EncryptedData, EnvelopedData, ExtKeyUsage, Extension, ExtensionValueFactory, Extensions, GeneralName, GeneralNames, GeneralSubtree, HASHED_MESSAGE, HASH_ALGORITHM, Holder, InfoAccess, IssuerAndSerialNumber, IssuerSerial, IssuingDistributionPoint, KEKIdentifier, KEKRecipientInfo, KeyAgreeRecipientIdentifier, KeyAgreeRecipientInfo, KeyBag, KeyTransRecipientInfo, MICROS, MILLIS, MacData, MessageImprint, NameConstraints, OCSPRequest, OCSPResponse, ObjectDigestInfo, OriginatorIdentifierOrKey, OriginatorInfo, OriginatorPublicKey, OtherCertificateFormat, OtherKeyAttribute, OtherPrimeInfo, OtherRecipientInfo, OtherRevocationInfoFormat, PBES2Params, PBKDF2Params, PFX, PKCS8ShroudedKeyBag, PKIStatus, PKIStatusInfo, POLICY_IDENTIFIER, POLICY_QUALIFIERS, ParameterError, PasswordRecipientinfo, PkiObject, PolicyConstraints, PolicyInformation, PolicyMapping, PolicyMappings, PolicyQualifierInfo, PrivateKeyInfo, PrivateKeyUsagePeriod, PublicKeyInfo, QCStatement, QCStatements, RDN, RSAESOAEPParams, RSAPrivateKey, RSAPublicKey, RSASSAPSSParams, RecipientEncryptedKey, RecipientEncryptedKeys, RecipientIdentifier, RecipientInfo, RecipientKeyIdentifier, RelativeDistinguishedNames, Request, ResponseBytes, ResponseData, RevocationInfoChoices, RevokedCertificate, SECONDS, SafeBag, SafeBagValueFactory, SafeContents, SecretBag, Signature, SignedAndUnsignedAttributes, SignedCertificateTimestamp, SignedCertificateTimestampList, SignedData, SignedDataVerifyError, SignerInfo, SingleResponse, SubjectDirectoryAttributes, TBSRequest, TSTInfo, TYPE$4 as TYPE, TYPE_AND_VALUES, Time, TimeStampReq, TimeStampResp, TimeType, V2Form, VALUE$5 as VALUE, VALUE_BEFORE_DECODE, checkCA, createCMSECDSASignature, createECDSASignatureFromCMS, engine, getAlgorithmByOID, getAlgorithmParameters, getCrypto, getEngine, getHashAlgorithm, getOIDByAlgorithm, getRandomValues, id_AnyPolicy, id_AuthorityInfoAccess, id_AuthorityKeyIdentifier, id_BaseCRLNumber, id_BasicConstraints, id_CRLBag_X509CRL, id_CRLDistributionPoints, id_CRLNumber, id_CRLReason, id_CertBag_AttributeCertificate, id_CertBag_SDSICertificate, id_CertBag_X509Certificate, id_CertificateIssuer, id_CertificatePolicies, id_ContentType_Data, id_ContentType_EncryptedData, id_ContentType_EnvelopedData, id_ContentType_SignedData, id_ExtKeyUsage, id_FreshestCRL, id_InhibitAnyPolicy, id_InvalidityDate, id_IssuerAltName, id_IssuingDistributionPoint, id_KeyUsage, id_MicrosoftAppPolicies, id_MicrosoftCaVersion, id_MicrosoftCertTemplateV1, id_MicrosoftCertTemplateV2, id_MicrosoftPrevCaCertHash, id_NameConstraints, id_PKIX_OCSP_Basic, id_PolicyConstraints, id_PolicyMappings, id_PrivateKeyUsagePeriod, id_QCStatements, id_SignedCertificateTimestampList, id_SubjectAltName, id_SubjectDirectoryAttributes, id_SubjectInfoAccess, id_SubjectKeyIdentifier, id_ad, id_ad_caIssuers, id_ad_ocsp, id_eContentType_TSTInfo, id_pkix, id_sha1, id_sha256, id_sha384, id_sha512, kdf, setEngine, stringPrep, verifySCTsForCertificate, MLDSAPublicKey };
-diff --git a/toolkit/locales/en-US/toolkit/about/certviewer.ftl b/toolkit/locales/en-US/toolkit/about/certviewer.ftl
---- a/toolkit/locales/en-US/toolkit/about/certviewer.ftl
-+++ b/toolkit/locales/en-US/toolkit/about/certviewer.ftl
-@@ -45,20 +45,22 @@
- certificate-viewer-organization = Organization
- certificate-viewer-organizational-unit = Organizational Unit
- certificate-viewer-policy = Policy
- certificate-viewer-protocol = Protocol
- certificate-viewer-public-value = Public Value
-+certificate-viewer-mldsa-public-value = Public Value
- certificate-viewer-purposes = Purposes
- certificate-viewer-qualifier = Qualifier
- certificate-viewer-qualifiers = Qualifiers
- certificate-viewer-required = Required
- certificate-viewer-unsupported = &lt;unsupported&gt;
- # Inc. means Incorporated, e.g GitHub is incorporated in Delaware
- certificate-viewer-inc-state-province = Inc. State/Province
- certificate-viewer-state-province = State/Province
- certificate-viewer-sha-1 = SHA-1
- certificate-viewer-sha-256 = SHA-256
-+certificate-viewer-security-level = Security Level
- certificate-viewer-serial-number = Serial Number
- certificate-viewer-signature-algorithm = Signature Algorithm
- certificate-viewer-signature-scheme = Signature Scheme
- certificate-viewer-timestamp = Timestamp
- certificate-viewer-value = Value
-

SOURCES/firefox-enable-ml-dsa-in-manager-ssl.patch

@@ -1,48 +0,0 @@
-diff --git a/security/manager/ssl/nsNSSCallbacks.cpp b/security/manager/ssl/nsNSSCallbacks.cpp
-index 2dc48c9f4c..0a7b84d787 100644
---- a/security/manager/ssl/nsNSSCallbacks.cpp
-+++ b/security/manager/ssl/nsNSSCallbacks.cpp
-@@ -722,6 +722,15 @@ nsCString getSignatureName(uint32_t aSignatureScheme) {
-     case ssl_sig_rsa_pkcs1_sha1md5:
-       signatureName = "RSA-PKCS1-SHA1MD5"_ns;
-       break;
-+    case ssl_sig_mldsa44:
-+      signatureName = "ML-DSA-44"_ns;
-+      break;
-+    case ssl_sig_mldsa65:
-+      signatureName = "ML-DSA-65"_ns;
-+      break;
-+    case ssl_sig_mldsa87:
-+      signatureName = "ML-DSA-87"_ns;
-+      break;
-     // All other groups are not enabled in Firefox. See sEnabledSignatureSchemes
-     // in nsNSSIOLayer.cpp.
-     default:
-@@ -1061,6 +1070,13 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) {
-           glean::ssl::auth_ecdsa_curve_full.AccumulateSingleSample(
-               ECCCurve(channelInfo.authKeyBits));
-           break;
-+      case ssl_auth_mldsa44:
-+      case ssl_auth_mldsa65:
-+      case ssl_auth_mldsa87:
-+          /* TODO: add auth_mldsa_key_size_full in ssl/metrics.yaml
-+          glean::ssl::auth_mldsa_key_size_full.AccumulateSingleSample(
-+              NonECCKeySize(channelInfo.authKeyBits)); */
-+          break;
-         default:
-           MOZ_CRASH("impossible auth algorithm");
-           break;
-diff --git a/security/manager/ssl/nsNSSIOLayer.cpp b/security/manager/ssl/nsNSSIOLayer.cpp
-index b1a5f5c2df..7443011b13 100644
---- a/security/manager/ssl/nsNSSIOLayer.cpp
-+++ b/security/manager/ssl/nsNSSIOLayer.cpp
-@@ -1300,6 +1300,9 @@ static PRFileDesc* nsSSLIOLayerImportFD(PRFileDesc* fd,
- // Please change getSignatureName in nsNSSCallbacks.cpp when changing the list
- // here. See NOTE at SSL_SignatureSchemePrefSet call site.
- static const SSLSignatureScheme sEnabledSignatureSchemes[] = {
-+    ssl_sig_mldsa87,
-+    ssl_sig_mldsa65,
-+    ssl_sig_mldsa44,
-     ssl_sig_ecdsa_secp256r1_sha256,
-     ssl_sig_ecdsa_secp384r1_sha384,
-     ssl_sig_ecdsa_secp521r1_sha512,

SOURCES/firefox-enable-ml-dsa-signature-verification-for-certificate-chain-validation.patch

@@ -1,239 +0,0 @@
-diff --git a/security/nss/lib/mozpkix/include/pkix/pkixder.h b/security/nss/lib/mozpkix/include/pkix/pkixder.h
-index ac1ec24393..40eb5027af 100644
---- a/security/nss/lib/mozpkix/include/pkix/pkixder.h
-+++ b/security/nss/lib/mozpkix/include/pkix/pkixder.h
-@@ -488,7 +488,7 @@ inline Result OptionalExtensions(Reader& input, uint8_t tag,
- Result DigestAlgorithmIdentifier(Reader& input,
-                                  /*out*/ DigestAlgorithm& algorithm);
- 
--enum class PublicKeyAlgorithm { RSA_PKCS1, RSA_PSS, ECDSA };
-+enum class PublicKeyAlgorithm { RSA_PKCS1, RSA_PSS, ECDSA, MLDSA };
- 
- Result SignatureAlgorithmIdentifierValue(
-     Reader& input,
-diff --git a/security/nss/lib/mozpkix/include/pkix/pkixnss.h b/security/nss/lib/mozpkix/include/pkix/pkixnss.h
-index 6711959e71..b87e88a599 100644
---- a/security/nss/lib/mozpkix/include/pkix/pkixnss.h
-+++ b/security/nss/lib/mozpkix/include/pkix/pkixnss.h
-@@ -50,6 +50,13 @@ Result VerifyECDSASignedDataNSS(Input data, DigestAlgorithm digestAlgorithm,
-                                 Input signature, Input subjectPublicKeyInfo,
-                                 void* pkcs11PinArg);
- 
-+// Verifies the ML-DSA signature on the given data using the given ML-DSA
-+// public key
-+Result VerifyMLDSASignedDataNSS(Input data,
-+                                Input signature,
-+                                Input subjectPublicKeyInfo,
-+                                void* pkcs11PinArg);
-+
- // Computes the digest of the given data using the given digest algorithm.
- //
- // item contains the data to hash.
-diff --git a/security/nss/lib/mozpkix/include/pkix/pkixtypes.h b/security/nss/lib/mozpkix/include/pkix/pkixtypes.h
-index 6a07d6e885..f24bd546e4 100644
---- a/security/nss/lib/mozpkix/include/pkix/pkixtypes.h
-+++ b/security/nss/lib/mozpkix/include/pkix/pkixtypes.h
-@@ -334,6 +334,10 @@ class TrustDomain {
-                                        Input signature,
-                                        Input subjectPublicKeyInfo) = 0;
- 
-+  virtual Result VerifyMLDSASignedData(Input data,
-+                                       Input signature,
-+                                       Input subjectPublicKeyInfo) = 0;
-+
-   // Check that the validity duration is acceptable.
-   //
-   // Return Success if the validity duration is acceptable,
-diff --git a/security/nss/lib/mozpkix/lib/pkixc.cpp b/security/nss/lib/mozpkix/lib/pkixc.cpp
-index 5dea13c43e..f797a3b3a1 100644
---- a/security/nss/lib/mozpkix/lib/pkixc.cpp
-+++ b/security/nss/lib/mozpkix/lib/pkixc.cpp
-@@ -143,6 +143,15 @@ class CodeSigningTrustDomain final : public TrustDomain {
-         subjectPublicKeyInfo, nullptr);
-   }
- 
-+  virtual Result VerifyMLDSASignedData(Input data,
-+                                       Input signature,
-+                                       Input subjectPublicKeyInfo) override {
-+    return VerifyMLDSASignedDataNSS(data,
-+                                    signature,
-+                                    subjectPublicKeyInfo,
-+                                    nullptr);
-+  }
-+
-   virtual Result CheckValidityIsAcceptable(Time notBefore, Time notAfter,
-                                            EndEntityOrCA endEntityOrCA,
-                                            KeyPurposeId keyPurpose) override {
-diff --git a/security/nss/lib/mozpkix/lib/pkixcheck.cpp b/security/nss/lib/mozpkix/lib/pkixcheck.cpp
-index 8b7e1bf73e..4ce73f3944 100644
---- a/security/nss/lib/mozpkix/lib/pkixcheck.cpp
-+++ b/security/nss/lib/mozpkix/lib/pkixcheck.cpp
-@@ -118,6 +118,9 @@ CheckSignatureAlgorithm(TrustDomain& trustDomain,
-       // for any curve that we support, the chances of us encountering a curve
-       // during path building is too low to be worth bothering with.
-       break;
-+
-+    case der::PublicKeyAlgorithm::MLDSA:
-+      break;
-     MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
-   }
- 
-@@ -248,6 +251,24 @@ CheckSubjectPublicKeyInfoContents(Reader& input, TrustDomain& trustDomain,
-     0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01
-   };
- 
-+  // Params for pure ML-DSA-44 signature
-+  // python DottedOIDToCode.py id-ml-dsa-44 2.16.840.1.101.3.4.3.17
-+  static const uint8_t id_ml_dsa_44[] = {
-+      0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x03, 0x11
-+  };
-+
-+  // Params for pure ML-DSA-65 signature
-+  // python DottedOIDToCode.py id-ml-dsa-65 2.16.840.1.101.3.4.3.18
-+  static const uint8_t id_ml_dsa_65[] = {
-+      0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x03, 0x12
-+  };
-+
-+  // Params for pure ML-DSA-87 signature
-+  // python DottedOIDToCode.py id-ml-dsa-87 2.16.840.1.101.3.4.3.19
-+  static const uint8_t id_ml_dsa_87[] = {
-+      0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x03, 0x13
-+  };
-+
-   if (algorithmOID.MatchRest(id_ecPublicKey)) {
-     // An id-ecPublicKey AlgorithmIdentifier has a parameter that identifes
-     // the curve being used. Although RFC 5480 specifies multiple forms, we
-@@ -361,6 +382,30 @@ CheckSubjectPublicKeyInfoContents(Reader& input, TrustDomain& trustDomain,
-     if (rv != Success) {
-       return rv;
-     }
-+  } else if (algorithmOID.MatchRest(id_ml_dsa_44) ||
-+             algorithmOID.MatchRest(id_ml_dsa_65) ||
-+             algorithmOID.MatchRest(id_ml_dsa_87)) {
-+
-+    /*
-+     * The ML-DSA AlgorithmIdentifier is expected to contain only the OID,
-+     * with no parameters field present. According to the Internet-Draft
-+     * https://www.ietf.org/archive/id/draft-ietf-lamps-dilithium-certificates-11.html
-+     * (Section 3), the AlgorithmIdentifier for ML-DSA variants must omit the `parameters`
-+     * field entirely.
-+     * In DER encoding, the absence of the parameters field means that after parsing the
-+     * OID, no additional bytes should remain. Calling `der::End(algorithm)` confirms that
-+     * this constraint is satisfied and that the structure is correctly encoded.
-+     */
-+    rv = der::End(algorithm);
-+    if (rv != Success) {
-+      return rv;
-+    }
-+
-+    Input rawPublicKey;
-+    rv = subjectPublicKeyReader.SkipToEnd(rawPublicKey);
-+    if (rv != Success) {
-+      return rv;
-+    }
-   } else {
-     return Result::ERROR_UNSUPPORTED_KEYALG;
-   }
-diff --git a/security/nss/lib/mozpkix/lib/pkixder.cpp b/security/nss/lib/mozpkix/lib/pkixder.cpp
-index 59454c7d3c..4ff45ed566 100644
---- a/security/nss/lib/mozpkix/lib/pkixder.cpp
-+++ b/security/nss/lib/mozpkix/lib/pkixder.cpp
-@@ -211,6 +211,24 @@ SignatureAlgorithmIdentifierValue(Reader& input,
-     0x00, 0xa2, 0x03, 0x02, 0x01, 0x40
-   };
- 
-+  // Params for pure ML-DSA-44 signature
-+  // python DottedOIDToCode.py id-ml-dsa-44 2.16.840.1.101.3.4.3.17
-+  static const uint8_t id_ml_dsa_44[] = {
-+      0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x03, 0x11
-+  };
-+
-+  // Params for pure ML-DSA-65 signature
-+  // python DottedOIDToCode.py id-ml-dsa-65 2.16.840.1.101.3.4.3.18
-+  static const uint8_t id_ml_dsa_65[] = {
-+      0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x03, 0x12
-+  };
-+
-+  // Params for pure ML-DSA-87 signature
-+  // python DottedOIDToCode.py id-ml-dsa-87 2.16.840.1.101.3.4.3.19
-+  static const uint8_t id_ml_dsa_87[] = {
-+      0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x03, 0x13
-+  };
-+
-   // Matching is attempted based on a rough estimate of the commonality of the
-   // algorithm, to minimize the number of MatchRest calls.
-   if (algorithmID.MatchRest(sha256WithRSAEncryption)) {
-@@ -252,6 +270,10 @@ SignatureAlgorithmIdentifierValue(Reader& input,
-     } else {
-       return Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED;
-     }
-+  } else if (algorithmID.MatchRest(id_ml_dsa_44) ||
-+             algorithmID.MatchRest(id_ml_dsa_65) ||
-+             algorithmID.MatchRest(id_ml_dsa_87)) {
-+    publicKeyAlgorithm = PublicKeyAlgorithm::MLDSA;
-   } else {
-     return Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED;
-   }
-diff --git a/security/nss/lib/mozpkix/lib/pkixnss.cpp b/security/nss/lib/mozpkix/lib/pkixnss.cpp
-index 606ef708d8..31aa1ddd67 100644
---- a/security/nss/lib/mozpkix/lib/pkixnss.cpp
-+++ b/security/nss/lib/mozpkix/lib/pkixnss.cpp
-@@ -303,6 +303,44 @@ DigestBufNSS(Input item,
-   return Success;
- }
- 
-+Result
-+VerifyMLDSASignedDataNSS(Input data,
-+                         Input signature,
-+                         Input subjectPublicKeyInfo,
-+                         void* pkcs11PinArg)
-+{
-+  ScopedSECKEYPublicKey publicKey;
-+  SECKEYPublicKey *pubk = NULL;
-+  SECOidTag signaturePolicyTag, hashPolicyTag;
-+  Result rv = SubjectPublicKeyInfoToSECKEYPublicKey(subjectPublicKeyInfo,
-+                                                    publicKey);
-+  if (rv != Success) {
-+    return rv;
-+  }
-+
-+  pubk = publicKey.get();
-+  SECItem signatureItem(UnsafeMapInputToSECItem(signature));
-+  SECItem dataItem(UnsafeMapInputToSECItem(data));
-+  CK_MECHANISM_TYPE mechanism;
-+
-+  switch (pubk->u.mldsa.paramSet) {
-+    case SEC_OID_ML_DSA_44:
-+    case SEC_OID_ML_DSA_65:
-+    case SEC_OID_ML_DSA_87:
-+      mechanism = CKM_ML_DSA;
-+      signaturePolicyTag = pubk->u.mldsa.paramSet;
-+      hashPolicyTag = SEC_OID_UNKNOWN;
-+      break;
-+    default:
-+      return Result::ERROR_UNSUPPORTED_KEYALG;
-+      break;
-+  }
-+
-+  SECOidTag policyTags[2] = {signaturePolicyTag, hashPolicyTag};
-+  return VerifySignedData(pubk, mechanism, nullptr, &signatureItem,
-+                          &dataItem, policyTags, pkcs11PinArg);
-+}
-+
- Result
- MapPRErrorCodeToResult(PRErrorCode error)
- {
-diff --git a/security/nss/lib/mozpkix/lib/pkixverify.cpp b/security/nss/lib/mozpkix/lib/pkixverify.cpp
-index 8cb58bf7de..ff132d89df 100644
---- a/security/nss/lib/mozpkix/lib/pkixverify.cpp
-+++ b/security/nss/lib/mozpkix/lib/pkixverify.cpp
-@@ -53,6 +53,9 @@ VerifySignedData(TrustDomain& trustDomain,
-     case der::PublicKeyAlgorithm::RSA_PSS:
-       return trustDomain.VerifyRSAPSSSignedData(signedData.data,
-           digestAlgorithm, signedData.signature, signerSubjectPublicKeyInfo);
-+    case der::PublicKeyAlgorithm::MLDSA:
-+      return trustDomain.VerifyMLDSASignedData(signedData.data,
-+          signedData.signature, signerSubjectPublicKeyInfo);
-     MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM
-   }
- }

SOURCES/firefox-fix-build-with-system-pipewire.patch

@@ -1,12 +0,0 @@
-diff --git a/config/system-headers.mozbuild b/config/system-headers.mozbuild
-index 028002a1d0..9dcb50fe5e 100644
---- a/config/system-headers.mozbuild
-+++ b/config/system-headers.mozbuild
-@@ -310,6 +310,7 @@ system_headers = [
-     "getopt.h",
-     "gio/gdesktopappinfo.h",
-     "gio/gio.h",
-+    "gio/gunixfdlist.h",
-     "glibconfig.h",
-     "glib.h",
-     "glib-object.h",

SOURCES/firefox-integrate-ml-dsa-signature-verification-for-pkix-certificate-chain-validation.patch

@@ -1,247 +0,0 @@
-diff --git a/netwerk/protocol/http/WebTransportCertificateVerifier.cpp b/netwerk/protocol/http/WebTransportCertificateVerifier.cpp
-index cc778640a1..298d6a61e8 100644
---- a/netwerk/protocol/http/WebTransportCertificateVerifier.cpp
-+++ b/netwerk/protocol/http/WebTransportCertificateVerifier.cpp
-@@ -53,6 +53,10 @@ class ServerCertHashesTrustDomain : public mozilla::pkix::TrustDomain {
-       mozilla::pkix::Input signature,
-       mozilla::pkix::Input subjectPublicKeyInfo) override;
- 
-+  virtual mozilla::pkix::Result VerifyMLDSASignedData(
-+      mozilla::pkix::Input data, mozilla::pkix::Input signature,
-+      mozilla::pkix::Input subjectPublicKeyInfo) override;
-+
-   virtual mozilla::pkix::Result DigestBuf(
-       mozilla::pkix::Input item, mozilla::pkix::DigestAlgorithm digestAlg,
-       /*out*/ uint8_t* digestBuf, size_t digestBufLen) override;
-@@ -151,6 +155,14 @@ mozilla::pkix::Result ServerCertHashesTrustDomain::VerifyECDSASignedData(
-   return mozilla::pkix::Result::FATAL_ERROR_LIBRARY_FAILURE;
- }
- 
-+mozilla::pkix::Result ServerCertHashesTrustDomain::VerifyMLDSASignedData(
-+    mozilla::pkix::Input data, mozilla::pkix::Input signature,
-+    mozilla::pkix::Input subjectPublicKeyInfo) {
-+  MOZ_ASSERT_UNREACHABLE("not expecting this to be called");
-+
-+  return mozilla::pkix::Result::FATAL_ERROR_LIBRARY_FAILURE;
-+}
-+
- mozilla::pkix::Result ServerCertHashesTrustDomain::DigestBuf(
-     mozilla::pkix::Input item, mozilla::pkix::DigestAlgorithm digestAlg,
-     /*out*/ uint8_t* digestBuf, size_t digestBufLen) {
-diff --git a/security/certverifier/CertVerifier.cpp b/security/certverifier/CertVerifier.cpp
-index ca330770fb..1e8f1d4996 100644
---- a/security/certverifier/CertVerifier.cpp
-+++ b/security/certverifier/CertVerifier.cpp
-@@ -7,6 +7,7 @@
- #include "CertVerifier.h"
- 
- #include <stdint.h>
-+#include <optional>
- 
- #include "AppTrustDomain.h"
- #include "CTKnownLogs.h"
-@@ -1010,7 +1011,7 @@ Result CertVerifier::VerifySSLServerCert(
- void HashSignatureParams(pkix::Input data, pkix::Input signature,
-                          pkix::Input subjectPublicKeyInfo,
-                          pkix::der::PublicKeyAlgorithm publicKeyAlgorithm,
--                         pkix::DigestAlgorithm digestAlgorithm,
-+                         std::optional<pkix::DigestAlgorithm> digestAlgorithm,
-                          /*out*/ Maybe<nsTArray<uint8_t>>& sha512Hash) {
-   sha512Hash.reset();
-   Digest digest;
-@@ -1048,10 +1049,14 @@ void HashSignatureParams(pkix::Input data, pkix::Input signature,
-                         sizeof(publicKeyAlgorithm)))) {
-     return;
-   }
--  if (NS_FAILED(
--          digest.Update(reinterpret_cast<const uint8_t*>(&digestAlgorithm),
--                        sizeof(digestAlgorithm)))) {
--    return;
-+  // There is no fallback digest algorithm when it's empty.
-+  // Check that digestAlgorithm actually contains a value.
-+  if (digestAlgorithm) {
-+    pkix::DigestAlgorithm value = digestAlgorithm.value();
-+    if (NS_FAILED(digest.Update(reinterpret_cast<const uint8_t*>(&value),
-+                                sizeof(value)))) {
-+      return;
-+    }
-   }
-   nsTArray<uint8_t> result;
-   if (NS_FAILED(digest.End(result))) {
-@@ -1064,10 +1069,17 @@ Result VerifySignedDataWithCache(
-     der::PublicKeyAlgorithm publicKeyAlg,
-     mozilla::glean::impl::DenominatorMetric telemetryDenominator,
-     mozilla::glean::impl::NumeratorMetric telemetryNumerator, Input data,
--    DigestAlgorithm digestAlgorithm, Input signature,
-+    std::optional<DigestAlgorithm> digestAlgorithm, Input signature,
-     Input subjectPublicKeyInfo, SignatureCache* signatureCache, void* pinArg) {
-   telemetryDenominator.Add(1);
-   Maybe<nsTArray<uint8_t>> sha512Hash;
-+
-+  // Currently, it is only acceptable for `digestAlgorithm` to be null when the
-+  // public key algorithm is pure ML-DSA. Fail immediately otherwise.
-+  if ((publicKeyAlg != der::PublicKeyAlgorithm::MLDSA) && !digestAlgorithm) {
-+    return Result::ERROR_INVALID_ALGORITHM;
-+  }
-+
-   HashSignatureParams(data, signature, subjectPublicKeyInfo, publicKeyAlg,
-                       digestAlgorithm, sha512Hash);
-   // If hashing the signature parameters succeeded, see if this signature is in
-@@ -1080,16 +1092,23 @@ Result VerifySignedDataWithCache(
-   Result result;
-   switch (publicKeyAlg) {
-     case der::PublicKeyAlgorithm::ECDSA:
--      result = VerifyECDSASignedDataNSS(data, digestAlgorithm, signature,
--                                        subjectPublicKeyInfo, pinArg);
-+      result =
-+          VerifyECDSASignedDataNSS(data, digestAlgorithm.value(), signature,
-+                                   subjectPublicKeyInfo, pinArg);
-       break;
-     case der::PublicKeyAlgorithm::RSA_PKCS1:
--      result = VerifyRSAPKCS1SignedDataNSS(data, digestAlgorithm, signature,
--                                           subjectPublicKeyInfo, pinArg);
-+      result =
-+          VerifyRSAPKCS1SignedDataNSS(data, digestAlgorithm.value(), signature,
-+                                      subjectPublicKeyInfo, pinArg);
-       break;
-     case der::PublicKeyAlgorithm::RSA_PSS:
--      result = VerifyRSAPSSSignedDataNSS(data, digestAlgorithm, signature,
--                                         subjectPublicKeyInfo, pinArg);
-+      result =
-+          VerifyRSAPSSSignedDataNSS(data, digestAlgorithm.value(), signature,
-+                                    subjectPublicKeyInfo, pinArg);
-+      break;
-+    case der::PublicKeyAlgorithm::MLDSA:
-+      result = VerifyMLDSASignedDataNSS(data, signature, subjectPublicKeyInfo,
-+                                        pinArg);
-       break;
-     default:
-       MOZ_ASSERT_UNREACHABLE("unhandled public key algorithm");
-diff --git a/security/certverifier/CertVerifier.h b/security/certverifier/CertVerifier.h
-index 6432547c8a..6e09e6fcdd 100644
---- a/security/certverifier/CertVerifier.h
-+++ b/security/certverifier/CertVerifier.h
-@@ -331,7 +331,8 @@ mozilla::pkix::Result VerifySignedDataWithCache(
-     mozilla::pkix::der::PublicKeyAlgorithm publicKeyAlg,
-     mozilla::glean::impl::DenominatorMetric telemetryDenominator,
-     mozilla::glean::impl::NumeratorMetric telemetryNumerator,
--    mozilla::pkix::Input data, mozilla::pkix::DigestAlgorithm digestAlgorithm,
-+    mozilla::pkix::Input data,
-+    std::optional<mozilla::pkix::DigestAlgorithm> digestAlgorithm,
-     mozilla::pkix::Input signature, mozilla::pkix::Input subjectPublicKeyInfo,
-     SignatureCache* signatureCache, void* pinArg);
- 
-diff --git a/security/certverifier/NSSCertDBTrustDomain.cpp b/security/certverifier/NSSCertDBTrustDomain.cpp
-index 70ba17d70f..a3ace3cee7 100644
---- a/security/certverifier/NSSCertDBTrustDomain.cpp
-+++ b/security/certverifier/NSSCertDBTrustDomain.cpp
-@@ -1541,6 +1541,15 @@ Result NSSCertDBTrustDomain::VerifyECDSASignedData(
-       signature, subjectPublicKeyInfo, mSignatureCache, mPinArg);
- }
- 
-+Result NSSCertDBTrustDomain::VerifyMLDSASignedData(Input data, Input signature,
-+                                                   Input subjectPublicKeyInfo) {
-+  return VerifySignedDataWithCache(
-+      der::PublicKeyAlgorithm::MLDSA,
-+      mozilla::glean::cert_signature_cache::total,
-+      mozilla::glean::cert_signature_cache::hits, data, std::nullopt, signature,
-+      subjectPublicKeyInfo, mSignatureCache, mPinArg);
-+}
-+
- Result NSSCertDBTrustDomain::CheckValidityIsAcceptable(
-     Time notBefore, Time notAfter, EndEntityOrCA endEntityOrCA,
-     KeyPurposeId keyPurpose) {
-diff --git a/security/certverifier/NSSCertDBTrustDomain.h b/security/certverifier/NSSCertDBTrustDomain.h
-index fc210f3254..6178201758 100644
---- a/security/certverifier/NSSCertDBTrustDomain.h
-+++ b/security/certverifier/NSSCertDBTrustDomain.h
-@@ -197,6 +197,10 @@ class NSSCertDBTrustDomain : public mozilla::pkix::TrustDomain {
-       mozilla::pkix::Input signature,
-       mozilla::pkix::Input subjectPublicKeyInfo) override;
- 
-+  virtual Result VerifyMLDSASignedData(
-+      mozilla::pkix::Input data, mozilla::pkix::Input signature,
-+      mozilla::pkix::Input subjectPublicKeyInfo) override;
-+
-   virtual Result DigestBuf(mozilla::pkix::Input item,
-                            mozilla::pkix::DigestAlgorithm digestAlg,
-                            /*out*/ uint8_t* digestBuf,
-diff --git a/security/ct/CTLogVerifier.cpp b/security/ct/CTLogVerifier.cpp
-index d5e665aaca..471213745d 100644
---- a/security/ct/CTLogVerifier.cpp
-+++ b/security/ct/CTLogVerifier.cpp
-@@ -99,6 +99,10 @@ class SignatureParamsTrustDomain final : public TrustDomain {
-     return pkix::Result::FATAL_ERROR_LIBRARY_FAILURE;
-   }
- 
-+  pkix::Result VerifyMLDSASignedData(Input, Input, Input) override {
-+    return pkix::Result::FATAL_ERROR_LIBRARY_FAILURE;
-+  }
-+
-   pkix::Result CheckValidityIsAcceptable(Time, Time, EndEntityOrCA,
-                                          KeyPurposeId) override {
-     return pkix::Result::FATAL_ERROR_LIBRARY_FAILURE;
-diff --git a/security/ct/tests/gtest/CTTestUtils.cpp b/security/ct/tests/gtest/CTTestUtils.cpp
-index 6a25307ec3..dbec7adc91 100644
---- a/security/ct/tests/gtest/CTTestUtils.cpp
-+++ b/security/ct/tests/gtest/CTTestUtils.cpp
-@@ -807,6 +807,12 @@ class OCSPExtensionTrustDomain : public TrustDomain {
-                                      subjectPublicKeyInfo, nullptr);
-   }
- 
-+  pkix::Result VerifyMLDSASignedData(Input data, Input signature,
-+                                     Input subjectPublicKeyInfo) override {
-+    return VerifyMLDSASignedDataNSS(data, signature, subjectPublicKeyInfo,
-+                                    nullptr);
-+  }
-+
-   pkix::Result CheckValidityIsAcceptable(Time, Time, EndEntityOrCA,
-                                          KeyPurposeId) override {
-     ADD_FAILURE();
-diff --git a/security/manager/ssl/AppTrustDomain.cpp b/security/manager/ssl/AppTrustDomain.cpp
-index ab49d7eb1f..3963f90eb1 100644
---- a/security/manager/ssl/AppTrustDomain.cpp
-+++ b/security/manager/ssl/AppTrustDomain.cpp
-@@ -322,6 +322,12 @@ pkix::Result AppTrustDomain::VerifyECDSASignedData(
-                                   subjectPublicKeyInfo, nullptr);
- }
- 
-+pkix::Result AppTrustDomain::VerifyMLDSASignedData(Input data, Input signature,
-+                                                   Input subjectPublicKeyInfo) {
-+  return VerifyMLDSASignedDataNSS(data, signature, subjectPublicKeyInfo,
-+                                  nullptr);
-+}
-+
- pkix::Result AppTrustDomain::CheckValidityIsAcceptable(
-     Time /*notBefore*/, Time /*notAfter*/, EndEntityOrCA /*endEntityOrCA*/,
-     KeyPurposeId /*keyPurpose*/) {
-diff --git a/security/manager/ssl/AppTrustDomain.h b/security/manager/ssl/AppTrustDomain.h
-index 4b0212ede0..85fdff5f13 100644
---- a/security/manager/ssl/AppTrustDomain.h
-+++ b/security/manager/ssl/AppTrustDomain.h
-@@ -80,6 +80,9 @@ class AppTrustDomain final : public mozilla::pkix::TrustDomain {
-                            mozilla::pkix::DigestAlgorithm digestAlg,
-                            /*out*/ uint8_t* digestBuf,
-                            size_t digestBufLen) override;
-+  virtual Result VerifyMLDSASignedData(
-+      mozilla::pkix::Input data, mozilla::pkix::Input signature,
-+      mozilla::pkix::Input subjectPublicKeyInfo) override;
- 
-  private:
-   nsTArray<Span<const uint8_t>> mTrustedRoots;
-diff --git a/security/manager/ssl/TLSClientAuthCertSelection.cpp b/security/manager/ssl/TLSClientAuthCertSelection.cpp
-index 3a84b15ee6..a3dc5a1af1 100644
---- a/security/manager/ssl/TLSClientAuthCertSelection.cpp
-+++ b/security/manager/ssl/TLSClientAuthCertSelection.cpp
-@@ -217,6 +217,11 @@ class ClientAuthCertNonverifyingTrustDomain final : public TrustDomain {
-       pkix::Input subjectPublicKeyInfo) override {
-     return pkix::Success;
-   }
-+  virtual mozilla::pkix::Result VerifyMLDSASignedData(
-+      pkix::Input data, pkix::Input signature,
-+      pkix::Input subjectPublicKeyInfo) override {
-+    return pkix::Success;
-+  }
-   virtual mozilla::pkix::Result CheckValidityIsAcceptable(
-       pkix::Time notBefore, pkix::Time notAfter,
-       pkix::EndEntityOrCA endEntityOrCA,

SOURCES/mozilla-bmo1170092.patch

@@ -1,6 +1,6 @@
-diff -up firefox-140.0/extensions/pref/autoconfig/src/nsReadConfig.cpp.mozilla-bmo1170092 firefox-140.0/extensions/pref/autoconfig/src/nsReadConfig.cpp
---- firefox-140.0/extensions/pref/autoconfig/src/nsReadConfig.cpp.mozilla-bmo1170092	2025-06-02 15:26:44.000000000 +0200
-+++ firefox-140.0/extensions/pref/autoconfig/src/nsReadConfig.cpp	2025-06-04 13:24:00.344728697 +0200
+diff -up firefox-115.0.2/extensions/pref/autoconfig/src/nsReadConfig.cpp.1170092 firefox-115.0.2/extensions/pref/autoconfig/src/nsReadConfig.cpp
+--- firefox-115.0.2/extensions/pref/autoconfig/src/nsReadConfig.cpp.1170092	2023-07-10 21:08:53.000000000 +0200
++++ firefox-115.0.2/extensions/pref/autoconfig/src/nsReadConfig.cpp	2023-07-17 10:33:23.443355156 +0200
 @@ -263,8 +263,20 @@ nsresult nsReadConfig::openAndEvaluateJS
      if (NS_FAILED(rv)) return rv;
  
@@ -23,10 +23,10 @@ diff -up firefox-140.0/extensions/pref/autoconfig/src/nsReadConfig.cpp.mozilla-b
    } else {
      nsAutoCString location("resource://gre/defaults/autoconfig/");
      location += aFileName;
-diff -up firefox-140.0/modules/libpref/Preferences.cpp.mozilla-bmo1170092 firefox-140.0/modules/libpref/Preferences.cpp
---- firefox-140.0/modules/libpref/Preferences.cpp.mozilla-bmo1170092	2025-06-02 15:26:51.000000000 +0200
-+++ firefox-140.0/modules/libpref/Preferences.cpp	2025-06-04 13:24:00.345430064 +0200
-@@ -4914,6 +4914,9 @@ nsresult Preferences::InitInitialObjects
+diff -up firefox-115.0.2/modules/libpref/Preferences.cpp.1170092 firefox-115.0.2/modules/libpref/Preferences.cpp
+--- firefox-115.0.2/modules/libpref/Preferences.cpp.1170092	2023-07-10 21:09:00.000000000 +0200
++++ firefox-115.0.2/modules/libpref/Preferences.cpp	2023-07-17 10:33:23.444355156 +0200
+@@ -4825,6 +4825,9 @@ nsresult Preferences::InitInitialObjects
    //
    // Thus, in the omni.jar case, we always load app-specific default
    // preferences from omni.jar, whether or not `$app == $gre`.
@@ -36,10 +36,10 @@ diff -up firefox-140.0/modules/libpref/Preferences.cpp.mozilla-bmo1170092 firefo
  
    nsresult rv = NS_ERROR_FAILURE;
    UniquePtr<nsZipFind> find;
-diff -up firefox-140.0/toolkit/xre/nsXREDirProvider.cpp.mozilla-bmo1170092 firefox-140.0/toolkit/xre/nsXREDirProvider.cpp
---- firefox-140.0/toolkit/xre/nsXREDirProvider.cpp.mozilla-bmo1170092	2025-06-02 15:27:00.000000000 +0200
-+++ firefox-140.0/toolkit/xre/nsXREDirProvider.cpp	2025-06-04 15:44:09.413562326 +0200
-@@ -76,6 +76,7 @@
+diff -up firefox-115.0.2/toolkit/xre/nsXREDirProvider.cpp.1170092 firefox-115.0.2/toolkit/xre/nsXREDirProvider.cpp
+--- firefox-115.0.2/toolkit/xre/nsXREDirProvider.cpp.1170092	2023-07-10 22:57:20.000000000 +0200
++++ firefox-115.0.2/toolkit/xre/nsXREDirProvider.cpp	2023-07-17 10:56:25.309692121 +0200
+@@ -72,6 +72,7 @@
  #endif
  #ifdef XP_UNIX
  #  include <ctype.h>
@@ -47,7 +47,7 @@ diff -up firefox-140.0/toolkit/xre/nsXREDirProvider.cpp.mozilla-bmo1170092 firef
  #endif
  #ifdef XP_IOS
  #  include "UIKitDirProvider.h"
-@@ -462,6 +463,17 @@ nsXREDirProvider::GetFile(const char* aP
+@@ -478,6 +479,17 @@ nsXREDirProvider::GetFile(const char* aP
      rv = file->AppendNative(nsLiteralCString(PREF_OVERRIDE_DIRNAME));
      NS_ENSURE_SUCCESS(rv, rv);
      rv = EnsureDirectoryExists(file);
@@ -60,12 +60,12 @@ diff -up firefox-140.0/toolkit/xre/nsXREDirProvider.cpp.mozilla-bmo1170092 firef
 +    appInfo->GetName(appName);
 +    ToLowerCase(appName);
 +    sysConfigDir.Append(appName);
-+    NS_NewNativeLocalFile(sysConfigDir, getter_AddRefs(file));
++    NS_NewNativeLocalFile(sysConfigDir, false, getter_AddRefs(file));
 +    rv = EnsureDirectoryExists(file);
    } else {
      // We don't know anything about this property. Fail without warning, because
      // otherwise we'll get too much warning spam due to
-@@ -518,6 +530,16 @@ nsXREDirProvider::GetFiles(const char* a
+@@ -694,6 +706,16 @@ nsXREDirProvider::GetFiles(const char* a
      }
  #endif
  
@@ -82,9 +82,9 @@ diff -up firefox-140.0/toolkit/xre/nsXREDirProvider.cpp.mozilla-bmo1170092 firef
      rv = NS_NewArrayEnumerator(aResult, directories, NS_GET_IID(nsIFile));
    } else if (!strcmp(aProperty, NS_APP_CHROME_DIR_LIST)) {
      // NS_APP_CHROME_DIR_LIST is only used to get default (native) icons
-diff -up firefox-140.0/xpcom/io/nsAppDirectoryServiceDefs.h.mozilla-bmo1170092 firefox-140.0/xpcom/io/nsAppDirectoryServiceDefs.h
---- firefox-140.0/xpcom/io/nsAppDirectoryServiceDefs.h.mozilla-bmo1170092	2025-06-02 15:27:01.000000000 +0200
-+++ firefox-140.0/xpcom/io/nsAppDirectoryServiceDefs.h	2025-06-04 13:24:00.346423861 +0200
+diff -up firefox-115.0.2/xpcom/io/nsAppDirectoryServiceDefs.h.1170092 firefox-115.0.2/xpcom/io/nsAppDirectoryServiceDefs.h
+--- firefox-115.0.2/xpcom/io/nsAppDirectoryServiceDefs.h.1170092	2023-07-10 21:09:13.000000000 +0200
++++ firefox-115.0.2/xpcom/io/nsAppDirectoryServiceDefs.h	2023-07-17 10:33:23.444355156 +0200
 @@ -58,6 +58,7 @@
  #define NS_APP_PREFS_DEFAULTS_DIR_LIST "PrefDL"
  #define NS_APP_PREFS_OVERRIDE_DIR \

SOURCES/mozilla-bmo1636168-fscreen.patch

@@ -1,28 +1,29 @@
-diff -up firefox-140.0/widget/gtk/nsWindow.cpp.mozilla-bmo1636168-fscreen firefox-140.0/widget/gtk/nsWindow.cpp
---- firefox-140.0/widget/gtk/nsWindow.cpp.mozilla-bmo1636168-fscreen	2025-06-02 15:27:00.000000000 +0200
-+++ firefox-140.0/widget/gtk/nsWindow.cpp	2025-06-12 10:23:04.789578675 +0200
-@@ -196,7 +196,7 @@ constexpr gint kEvents =
-     GDK_VISIBILITY_NOTIFY_MASK | GDK_ENTER_NOTIFY_MASK | GDK_LEAVE_NOTIFY_MASK |
-     GDK_BUTTON_PRESS_MASK | GDK_BUTTON_RELEASE_MASK | GDK_SMOOTH_SCROLL_MASK |
-     GDK_TOUCH_MASK | GDK_SCROLL_MASK | GDK_POINTER_MOTION_MASK |
--    GDK_PROPERTY_CHANGE_MASK;
-+    GDK_PROPERTY_CHANGE_MASK | GDK_FOCUS_CHANGE_MASK;
+diff -up firefox-128.0/widget/gtk/nsWindow.cpp.mozilla-bmo1636168-fscreen firefox-128.0/widget/gtk/nsWindow.cpp
+--- firefox-128.0/widget/gtk/nsWindow.cpp.mozilla-bmo1636168-fscreen	2024-07-04 18:20:43.000000000 +0200
++++ firefox-128.0/widget/gtk/nsWindow.cpp	2024-07-16 14:54:21.026716936 +0200
+@@ -174,7 +174,8 @@ const gint kEvents = GDK_TOUCHPAD_GESTUR
+                      GDK_ENTER_NOTIFY_MASK | GDK_LEAVE_NOTIFY_MASK |
+                      GDK_BUTTON_PRESS_MASK | GDK_BUTTON_RELEASE_MASK |
+                      GDK_SMOOTH_SCROLL_MASK | GDK_TOUCH_MASK | GDK_SCROLL_MASK |
+-                     GDK_POINTER_MOTION_MASK | GDK_PROPERTY_CHANGE_MASK;
++                     GDK_POINTER_MOTION_MASK | GDK_PROPERTY_CHANGE_MASK |
++                     GDK_FOCUS_CHANGE_MASK;
  
  /* utility functions */
  static bool is_mouse_in_window(GdkWindow* aWindow, gdouble aMouseX,
-@@ -454,7 +454,8 @@ nsWindow::nsWindow()
+@@ -430,7 +431,8 @@ nsWindow::nsWindow()
        mResizedAfterMoveToRect(false),
        mConfiguredClearColor(false),
        mGotNonBlankPaint(false),
 -      mNeedsToRetryCapturingMouse(false) {
 +      mNeedsToRetryCapturingMouse(false),
 +      mPendingFullscreen(false) {
+   mWindowType = WindowType::Child;
    mSizeConstraints.mMaxSize = GetSafeWindowSize(mSizeConstraints.mMaxSize);
  
-   if (!gGlobalsInitialized) {
-@@ -5424,6 +5425,19 @@ void nsWindow::OnWindowStateEvent(GtkWid
-   if (mSizeMode != oldSizeMode && mWidgetListener) {
-     mWidgetListener->SizeModeChanged(mSizeMode);
+@@ -5374,6 +5376,19 @@ void nsWindow::OnWindowStateEvent(GtkWid
+       ClearTransparencyBitmap();
+     }
    }
 +
 +  // Hack to ensure window switched to fullscreen - avoid to fail when starting
@@ -40,7 +41,7 @@ diff -up firefox-140.0/widget/gtk/nsWindow.cpp.mozilla-bmo1636168-fscreen firefo
  }
  
  void nsWindow::OnDPIChanged() {
-@@ -7239,6 +7253,7 @@ nsresult nsWindow::MakeFullScreen(bool a
+@@ -7526,6 +7541,7 @@ nsresult nsWindow::MakeFullScreen(bool a
  
      if (mKioskMonitor.isSome()) {
        KioskLockOnMonitor();
@@ -48,10 +49,10 @@ diff -up firefox-140.0/widget/gtk/nsWindow.cpp.mozilla-bmo1636168-fscreen firefo
      } else {
        gtk_window_fullscreen(GTK_WINDOW(mShell));
      }
-diff -up firefox-140.0/widget/gtk/nsWindow.h.mozilla-bmo1636168-fscreen firefox-140.0/widget/gtk/nsWindow.h
---- firefox-140.0/widget/gtk/nsWindow.h.mozilla-bmo1636168-fscreen	2025-06-02 15:27:00.000000000 +0200
-+++ firefox-140.0/widget/gtk/nsWindow.h	2025-06-12 10:18:42.354025723 +0200
-@@ -786,6 +786,7 @@ class nsWindow final : public nsBaseWidg
+diff -up firefox-128.0/widget/gtk/nsWindow.h.mozilla-bmo1636168-fscreen firefox-128.0/widget/gtk/nsWindow.h
+--- firefox-128.0/widget/gtk/nsWindow.h.mozilla-bmo1636168-fscreen	2024-07-04 18:20:43.000000000 +0200
++++ firefox-128.0/widget/gtk/nsWindow.h	2024-07-16 14:25:51.636952919 +0200
+@@ -758,6 +758,7 @@ class nsWindow final : public nsBaseWidg
     * move-to-rect callback we set mMovedAfterMoveToRect/mResizedAfterMoveToRect.
     */
    bool mWaitingForMoveToRectCallback : 1;

SOURCES/mozilla-bmo1670333.patch

@@ -1,7 +1,7 @@
-diff -up firefox-140.0/dom/media/mp4/MP4Demuxer.cpp.mozilla-bmo1670333 firefox-140.0/dom/media/mp4/MP4Demuxer.cpp
---- firefox-140.0/dom/media/mp4/MP4Demuxer.cpp.mozilla-bmo1670333	2025-06-17 18:15:13.000000000 +0200
-+++ firefox-140.0/dom/media/mp4/MP4Demuxer.cpp	2025-06-18 10:17:47.394794429 +0200
-@@ -32,6 +32,8 @@ mozilla::LogModule* GetDemuxerLog() { re
+diff -up firefox-128.0/dom/media/mp4/MP4Demuxer.cpp.mozilla-bmo1670333 firefox-128.0/dom/media/mp4/MP4Demuxer.cpp
+--- firefox-128.0/dom/media/mp4/MP4Demuxer.cpp.mozilla-bmo1670333	2024-07-04 18:20:27.000000000 +0200
++++ firefox-128.0/dom/media/mp4/MP4Demuxer.cpp	2024-07-16 13:49:10.475630426 +0200
+@@ -33,6 +33,8 @@ mozilla::LogModule* GetDemuxerLog() { re
    DDMOZ_LOG(gMediaDemuxerLog, mozilla::LogLevel::Debug, "::%s: " arg, \
              __func__, ##__VA_ARGS__)
  
@@ -11,9 +11,9 @@ diff -up firefox-140.0/dom/media/mp4/MP4Demuxer.cpp.mozilla-bmo1670333 firefox-1
  
  using TimeUnit = media::TimeUnit;
 @@ -419,6 +421,12 @@ already_AddRefed<MediaRawData> MP4TrackD
+           [[fallthrough]];
          case H264::FrameType::OTHER: {
-           bool keyframe = type == H264::FrameType::I_FRAME_OTHER ||
-                           type == H264::FrameType::I_FRAME_IDR;
+           bool keyframe = type == H264::FrameType::I_FRAME;
 +          if (gUseKeyframeFromContainer) {
 +            if (sample->mKeyframe && sample->mKeyframe != keyframe) {
 +              sample->mKeyframe = keyframe;
@@ -23,10 +23,10 @@ diff -up firefox-140.0/dom/media/mp4/MP4Demuxer.cpp.mozilla-bmo1670333 firefox-1
            if (sample->mKeyframe != keyframe) {
              NS_WARNING(nsPrintfCString("Frame incorrectly marked as %skeyframe "
                                         "@ pts:%" PRId64 " dur:%" PRId64
-diff -up firefox-140.0/dom/media/platforms/PDMFactory.cpp.mozilla-bmo1670333 firefox-140.0/dom/media/platforms/PDMFactory.cpp
---- firefox-140.0/dom/media/platforms/PDMFactory.cpp.mozilla-bmo1670333	2025-06-17 18:15:13.000000000 +0200
-+++ firefox-140.0/dom/media/platforms/PDMFactory.cpp	2025-06-18 10:10:29.209789856 +0200
-@@ -61,6 +61,8 @@
+diff -up firefox-128.0/dom/media/platforms/PDMFactory.cpp.mozilla-bmo1670333 firefox-128.0/dom/media/platforms/PDMFactory.cpp
+--- firefox-128.0/dom/media/platforms/PDMFactory.cpp.mozilla-bmo1670333	2024-07-04 18:20:26.000000000 +0200
++++ firefox-128.0/dom/media/platforms/PDMFactory.cpp	2024-07-16 14:16:04.635809901 +0200
+@@ -62,6 +62,8 @@
  
  #include <functional>
  
@@ -35,7 +35,7 @@ diff -up firefox-140.0/dom/media/platforms/PDMFactory.cpp.mozilla-bmo1670333 fir
  using DecodeSupport = mozilla::media::DecodeSupport;
  using DecodeSupportSet = mozilla::media::DecodeSupportSet;
  using MediaCodec = mozilla::media::MediaCodec;
-@@ -573,7 +575,7 @@ void PDMFactory::CreateRddPDMs() {
+@@ -543,7 +545,7 @@ void PDMFactory::CreateRddPDMs() {
  #ifdef MOZ_FFMPEG
    if (StaticPrefs::media_ffmpeg_enabled() &&
        StaticPrefs::media_rdd_ffmpeg_enabled() &&
@@ -44,7 +44,7 @@ diff -up firefox-140.0/dom/media/platforms/PDMFactory.cpp.mozilla-bmo1670333 fir
      mFailureFlags += GetFailureFlagBasedOnFFmpegStatus(
          FFmpegRuntimeLinker::LinkStatusCode());
    }
-@@ -749,7 +751,7 @@ void PDMFactory::CreateDefaultPDMs() {
+@@ -719,7 +721,7 @@ void PDMFactory::CreateDefaultPDMs() {
    StartupPDM(AgnosticDecoderModule::Create(),
               StaticPrefs::media_prefer_non_ffvpx());
  
@@ -53,10 +53,10 @@ diff -up firefox-140.0/dom/media/platforms/PDMFactory.cpp.mozilla-bmo1670333 fir
        !StartupPDM(GMPDecoderModule::Create(),
                    StaticPrefs::media_gmp_decoder_preferred())) {
      mFailureFlags += DecoderDoctorDiagnostics::Flags::GMPPDMFailedToStartup;
-diff -up firefox-140.0/dom/media/platforms/PDMFactory.h.mozilla-bmo1670333 firefox-140.0/dom/media/platforms/PDMFactory.h
---- firefox-140.0/dom/media/platforms/PDMFactory.h.mozilla-bmo1670333	2025-06-17 18:15:13.000000000 +0200
-+++ firefox-140.0/dom/media/platforms/PDMFactory.h	2025-06-18 10:10:29.210054963 +0200
-@@ -105,6 +105,7 @@ class PDMFactory final {
+diff -up firefox-128.0/dom/media/platforms/PDMFactory.h.mozilla-bmo1670333 firefox-128.0/dom/media/platforms/PDMFactory.h
+--- firefox-128.0/dom/media/platforms/PDMFactory.h.mozilla-bmo1670333	2024-07-04 18:20:26.000000000 +0200
++++ firefox-128.0/dom/media/platforms/PDMFactory.h	2024-07-16 13:49:10.476630421 +0200
+@@ -98,6 +98,7 @@ class PDMFactory final {
    RefPtr<PlatformDecoderModule> mNullPDM;
  
    DecoderDoctorDiagnostics::FlagsSet mFailureFlags;

SOURCES/mozilla-bmo1789216-disable-av1.patch

@@ -1,7 +1,7 @@
-diff -up firefox-140.1.0/media/ffvpx/libavcodec/allcodecs.c.mozilla-bmo1789216-disable-av1 firefox-140.1.0/media/ffvpx/libavcodec/allcodecs.c
---- firefox-140.1.0/media/ffvpx/libavcodec/allcodecs.c.mozilla-bmo1789216-disable-av1	2025-07-14 19:14:53.000000000 +0200
-+++ firefox-140.1.0/media/ffvpx/libavcodec/allcodecs.c	2025-07-31 15:12:56.818469857 +0200
-@@ -769,8 +769,11 @@ extern const FFCodec ff_libaribb24_decod
+diff -up firefox-128.0/media/ffvpx/libavcodec/allcodecs.c.mozilla-bmo1789216-disable-av1 firefox-128.0/media/ffvpx/libavcodec/allcodecs.c
+--- firefox-128.0/media/ffvpx/libavcodec/allcodecs.c.mozilla-bmo1789216-disable-av1	2024-06-12 15:03:01.000000000 +0200
++++ firefox-128.0/media/ffvpx/libavcodec/allcodecs.c	2024-06-13 11:44:10.637215674 +0200
+@@ -764,8 +764,11 @@ extern const FFCodec ff_libaribb24_decod
  extern const FFCodec ff_libcelt_decoder;
  extern const FFCodec ff_libcodec2_encoder;
  extern const FFCodec ff_libcodec2_decoder;
@@ -13,7 +13,7 @@ diff -up firefox-140.1.0/media/ffvpx/libavcodec/allcodecs.c.mozilla-bmo1789216-d
  extern const FFCodec ff_libfdk_aac_encoder;
  extern const FFCodec ff_libfdk_aac_decoder;
  extern const FFCodec ff_libgsm_encoder;
-@@ -800,7 +803,6 @@ extern const FFCodec ff_libspeex_decoder
+@@ -793,7 +796,6 @@ extern const FFCodec ff_libspeex_decoder
  extern const FFCodec ff_libsvtav1_encoder;
  extern const FFCodec ff_libtheora_encoder;
  extern const FFCodec ff_libtwolame_encoder;
@@ -21,9 +21,9 @@ diff -up firefox-140.1.0/media/ffvpx/libavcodec/allcodecs.c.mozilla-bmo1789216-d
  extern const FFCodec ff_libvo_amrwbenc_encoder;
  extern const FFCodec ff_libvorbis_encoder;
  extern const FFCodec ff_libvorbis_decoder;
-diff -up firefox-140.1.0/media/ffvpx/libavcodec/codec_list.c.mozilla-bmo1789216-disable-av1 firefox-140.1.0/media/ffvpx/libavcodec/codec_list.c
---- firefox-140.1.0/media/ffvpx/libavcodec/codec_list.c.mozilla-bmo1789216-disable-av1	2025-07-14 19:14:53.000000000 +0200
-+++ firefox-140.1.0/media/ffvpx/libavcodec/codec_list.c	2025-07-31 15:12:56.820214239 +0200
+diff -up firefox-128.0/media/ffvpx/libavcodec/codec_list.c.mozilla-bmo1789216-disable-av1 firefox-128.0/media/ffvpx/libavcodec/codec_list.c
+--- firefox-128.0/media/ffvpx/libavcodec/codec_list.c.mozilla-bmo1789216-disable-av1	2024-06-13 11:40:12.668924117 +0200
++++ firefox-128.0/media/ffvpx/libavcodec/codec_list.c	2024-06-13 11:44:41.411253372 +0200
 @@ -11,12 +11,14 @@ static const FFCodec * const codec_list[
  #if CONFIG_MP3_DECODER
      &ff_mp3_decoder,
@@ -35,13 +35,13 @@ diff -up firefox-140.1.0/media/ffvpx/libavcodec/codec_list.c.mozilla-bmo1789216-
  #if CONFIG_AV1_DECODER
      &ff_av1_decoder,
  #endif
-+#endif
++#endif    
  #if CONFIG_LIBVORBIS_DECODER
      &ff_libvorbis_decoder,
  #endif
-diff -up firefox-140.1.0/media/ffvpx/libavcodec/moz.build.mozilla-bmo1789216-disable-av1 firefox-140.1.0/media/ffvpx/libavcodec/moz.build
---- firefox-140.1.0/media/ffvpx/libavcodec/moz.build.mozilla-bmo1789216-disable-av1	2025-07-14 19:14:53.000000000 +0200
-+++ firefox-140.1.0/media/ffvpx/libavcodec/moz.build	2025-08-01 12:40:58.374987298 +0200
+diff -up firefox-128.0/media/ffvpx/libavcodec/moz.build.mozilla-bmo1789216-disable-av1 firefox-128.0/media/ffvpx/libavcodec/moz.build
+--- firefox-128.0/media/ffvpx/libavcodec/moz.build.mozilla-bmo1789216-disable-av1	2024-06-13 11:40:12.669924118 +0200
++++ firefox-128.0/media/ffvpx/libavcodec/moz.build	2024-06-13 11:45:22.867304151 +0200
 @@ -94,7 +94,6 @@ if not CONFIG['MOZ_FFVPX_AUDIOONLY']:
          'imgconvert.c',
          'libaom.c',
@@ -50,25 +50,24 @@ diff -up firefox-140.1.0/media/ffvpx/libavcodec/moz.build.mozilla-bmo1789216-dis
          'libvpxdec.c',
          'libvpxenc.c',
          'mathtables.c',
-@@ -120,16 +119,15 @@ if not CONFIG['MOZ_FFVPX_AUDIOONLY']:
+@@ -119,10 +118,16 @@ if not CONFIG['MOZ_FFVPX_AUDIOONLY']:
+         'vp9recon.c',
          'vpx_rac.c',
      ]
- 
--    if CONFIG["MOZ_SYSTEM_AV1"]:
--        CFLAGS += CONFIG['MOZ_SYSTEM_LIBDAV1D_CFLAGS']
--        CFLAGS += CONFIG['MOZ_SYSTEM_LIBAOM_CFLAGS']
--        OS_LIBS += CONFIG['MOZ_SYSTEM_LIBDAV1D_LIBS']
--        OS_LIBS += CONFIG['MOZ_SYSTEM_LIBAOM_LIBS']
--    else:
-+    if CONFIG["MOZ_AV1"]:
-         USE_LIBS += [
-             'dav1d',
-             'media_libdav1d_asm',
-         ]
+-    USE_LIBS += [
+-        'dav1d',
+-        'media_libdav1d_asm',
+-    ]
++    if CONFIG['MOZ_AV1']:
++        USE_LIBS += [
++            'dav1d',
++            'media_libdav1d_asm',
++        ]
 +        SOURCES += [
 +            'libdav1d.c',
 +        ]
 +
- 
++
      if CONFIG["MOZ_WIDGET_TOOLKIT"] == "gtk":
          LOCAL_INCLUDES += ['/media/mozva']
+         SOURCES += [

SOURCES/process-official-tarball

@@ -17,12 +17,6 @@ rm -vf ./process-tarball-dir/*/mobile/android/android-components/components/brow
 rm -vf ./process-tarball-dir/*/mobile/android/android-components/components/feature/addons/src/main/res/values-ur/strings.xml
 rm -vf ./process-tarball-dir/*/third_party/webkit/PerformanceTests/Speedometer3/resources/editors/dist/assets/codemirror-521de7ab.js
 rm -vf ./process-tarball-dir/*/third_party/python/pip/pip-24.0.dist-info/AUTHORS.txt
-rm -vf ./process-tarball-dir/*/dom/locks/test/crashtests/1908240.js
-
-# We uses system freetype2
-rm -vrf ./process-tarball-dir/*/modules/freetype2
-# We use system zlib
-rm -vrf ./process-tarball-dir/*/modules/zlib
 
 processed_tarball=${1/source/processed-source}
 

SOURCES/rhbz-1173156.patch

@@ -1,12 +1,12 @@
-diff -up firefox-140.0/extensions/auth/nsAuthSambaNTLM.cpp.rhbz-1173156 firefox-140.0/extensions/auth/nsAuthSambaNTLM.cpp
---- firefox-140.0/extensions/auth/nsAuthSambaNTLM.cpp.rhbz-1173156	2025-06-02 15:26:45.000000000 +0200
-+++ firefox-140.0/extensions/auth/nsAuthSambaNTLM.cpp	2025-06-12 11:02:37.183715940 +0200
-@@ -153,7 +153,7 @@ nsresult nsAuthSambaNTLM::SpawnNTLMAuthH
-     options.fds_to_remap.push_back(
-         std::pair{fromChildPipeWrite.get(), STDOUT_FILENO});
- 
--    std::vector<std::string> argvVec{"ntlm_auth",        "--helper-protocol",
-+    std::vector<std::string> argvVec{"/usr/bin/ntlm_auth",        "--helper-protocol",
-                                      "ntlmssp-client-1", "--use-cached-creds",
-                                      "--username",       username};
+diff -up firefox-60.5.0/extensions/auth/nsAuthSambaNTLM.cpp.rhbz-1173156 firefox-60.5.0/extensions/auth/nsAuthSambaNTLM.cpp
+--- firefox-60.5.0/extensions/auth/nsAuthSambaNTLM.cpp.rhbz-1173156	2019-01-22 10:36:09.284069020 +0100
++++ firefox-60.5.0/extensions/auth/nsAuthSambaNTLM.cpp	2019-01-22 10:37:12.669757744 +0100
+@@ -161,7 +161,7 @@ nsresult nsAuthSambaNTLM::SpawnNTLMAuthH
+   const char* username = PR_GetEnv("USER");
+   if (!username) return NS_ERROR_FAILURE;
  
+-  const char* const args[] = {"ntlm_auth",
++  const char* const args[] = {"/usr/bin/ntlm_auth",
+                               "--helper-protocol",
+                               "ntlmssp-client-1",
+                               "--use-cached-creds",

SOURCES/rhbz-71999-fips-youtube.patch

@@ -1,43 +0,0 @@
-changeset:   781221:573380ae60a7
-tag:         tip
-user:        stransky <stransky@redhat.com>
-date:        Mon Mar 24 10:13:50 2025 +0100
-files:       dom/cache/CacheStorage.cpp dom/indexedDB/ActorsParent.cpp
-description:
-FIPS-youtube
-
-
-diff --git a/dom/cache/CacheStorage.cpp b/dom/cache/CacheStorage.cpp
---- a/dom/cache/CacheStorage.cpp
-+++ b/dom/cache/CacheStorage.cpp
-@@ -38,6 +38,7 @@
- #include "nsURLParsers.h"
- #include "js/Object.h"              // JS::GetClass
- #include "js/PropertyAndElement.h"  // JS_DefineProperty
-+#include "pk11pub.h"
- 
- namespace mozilla::dom::cache {
- 
-@@ -581,7 +582,7 @@ bool CacheStorage::HasStorageAccess(UseC
-     if (!principal->IsSystemPrincipal() &&
-         principal->GetPrivateBrowsingId() !=
-             nsIScriptSecurityManager::DEFAULT_PRIVATE_BROWSING_ID &&
--        !StaticPrefs::dom_cache_privateBrowsing_enabled()) {
-+        (!StaticPrefs::dom_cache_privateBrowsing_enabled() || PK11_IsFIPS())) {
-       return false;
-     }
-   }
-diff --git a/dom/indexedDB/ActorsParent.cpp b/dom/indexedDB/ActorsParent.cpp
---- a/dom/indexedDB/ActorsParent.cpp
-+++ b/dom/indexedDB/ActorsParent.cpp
-@@ -14791,7 +14791,8 @@ nsresult FactoryOp::Open() {
-     mEnforcingQuota = mPersistenceType != PERSISTENCE_TYPE_PERSISTENT;
- 
-     if (mOriginMetadata.mIsPrivate) {
--      if (StaticPrefs::dom_indexedDB_privateBrowsing_enabled()) {
-+      if (StaticPrefs::dom_indexedDB_privateBrowsing_enabled() &&
-+          !PK11_IsFIPS()) {
-         // Explicitly disallow moz-extension urls from using the encrypted
-         // indexedDB storage mode when the caller is an extension (see Bug
-         // 1841806).
-

SOURCES/wasi.patch

@@ -6,7 +6,7 @@ diff -up firefox-121.0.1/toolkit/moz.configure.wasi firefox-121.0.1/toolkit/moz.
          if wasi_sysroot:
              log.info("Using wasi sysroot in %s", wasi_sysroot)
 -            return ["--sysroot=%s" % wasi_sysroot]
-+            return ["--sysroot=%s" % wasi_sysroot, "-nodefaultlibs",  "-lc", "-lwasi-emulated-process-clocks", "-lc++", "-lc++abi", "/home/jhorak/centpackages/NEW_ERA/firefox-2/firefox-140.6.0-build/firefox-140.6.0/wasi-sdk-20/build/compiler-rt/lib/wasi/libclang_rt.builtins-wasm32.a"]
++            return ["--sysroot=%s" % wasi_sysroot, "-nodefaultlibs",  "-lc", "-lwasi-emulated-process-clocks", "-lc++", "-lc++abi", "/home/jhorak/rpmbuild/BUILDROOT/usr/share/wasi-sysroot/lib/libclang_rt.builtins-wasm32.a"]
          return []
  
      set_config("WASI_SYSROOT", wasi_sysroot)

SOURCES/webrtc-128.0.patch.patch

@@ -1,7 +1,7 @@
-diff -up firefox-140.0/dom/crypto/WebCryptoTask.cpp.D225034.1750779491 firefox-140.0/dom/crypto/WebCryptoTask.cpp
---- firefox-140.0/dom/crypto/WebCryptoTask.cpp.D225034.1750779491	2025-06-17 18:15:13.000000000 +0200
-+++ firefox-140.0/dom/crypto/WebCryptoTask.cpp	2025-06-26 12:19:09.532341457 +0200
-@@ -120,60 +120,6 @@ enum TelemetryAlgorithm {
+diff -up firefox-128.2.0/dom/crypto/WebCryptoTask.cpp.webrtc firefox-128.2.0/dom/crypto/WebCryptoTask.cpp
+--- firefox-128.2.0/dom/crypto/WebCryptoTask.cpp.webrtc	2024-08-26 16:23:34.000000000 +0200
++++ firefox-128.2.0/dom/crypto/WebCryptoTask.cpp	2024-09-30 21:42:30.750124316 +0200
+@@ -118,60 +118,6 @@ enum TelemetryAlgorithm {
      }                                                \
    }
  
@@ -30,7 +30,7 @@ diff -up firefox-140.0/dom/crypto/WebCryptoTask.cpp.D225034.1750779491 firefox-1
 -    Algorithm alg;
 -
 -    if (!alg.Init(aCx, value)) {
--      return NS_ERROR_DOM_TYPE_MISMATCH_ERR;
+-      return NS_ERROR_DOM_SYNTAX_ERR;
 -    }
 -
 -    aName = alg.mName;
@@ -62,7 +62,7 @@ diff -up firefox-140.0/dom/crypto/WebCryptoTask.cpp.D225034.1750779491 firefox-1
  inline size_t MapHashAlgorithmNameToBlockSize(const nsString& aName) {
    if (aName.EqualsLiteral(WEBCRYPTO_ALG_SHA1) ||
        aName.EqualsLiteral(WEBCRYPTO_ALG_SHA256)) {
-@@ -2488,6 +2434,30 @@ class GenerateSymmetricKeyTask : public
+@@ -2198,6 +2144,30 @@ class GenerateSymmetricKeyTask : public
    virtual void Cleanup() override { mKey = nullptr; }
  };
  
@@ -90,13 +90,13 @@ diff -up firefox-140.0/dom/crypto/WebCryptoTask.cpp.D225034.1750779491 firefox-1
 +  UniqueSECKEYPrivateKey mPrivateKey;
 +};
 +
- class DeriveX25519BitsTask : public ReturnArrayBufferViewTask {
-  public:
-   DeriveX25519BitsTask(JSContext* aCx, const ObjectOrString& aAlgorithm,
-diff -up firefox-140.0/dom/crypto/WebCryptoTask.h.D225034.1750779491 firefox-140.0/dom/crypto/WebCryptoTask.h
---- firefox-140.0/dom/crypto/WebCryptoTask.h.D225034.1750779491	2025-06-17 18:15:13.000000000 +0200
-+++ firefox-140.0/dom/crypto/WebCryptoTask.h	2025-06-26 12:14:42.300401357 +0200
-@@ -176,31 +176,60 @@ class WebCryptoTask : public CancelableR
+ GenerateAsymmetricKeyTask::GenerateAsymmetricKeyTask(
+     nsIGlobalObject* aGlobal, JSContext* aCx, const ObjectOrString& aAlgorithm,
+     bool aExtractable, const Sequence<nsString>& aKeyUsages)
+diff -up firefox-128.2.0/dom/crypto/WebCryptoTask.h.webrtc firefox-128.2.0/dom/crypto/WebCryptoTask.h
+--- firefox-128.2.0/dom/crypto/WebCryptoTask.h.webrtc	2024-08-26 16:23:34.000000000 +0200
++++ firefox-128.2.0/dom/crypto/WebCryptoTask.h	2024-09-30 21:41:07.648369048 +0200
+@@ -175,31 +175,60 @@ class WebCryptoTask : public CancelableR
    nsresult mRv;
  };
  
@@ -177,9 +177,9 @@ diff -up firefox-140.0/dom/crypto/WebCryptoTask.h.D225034.1750779491 firefox-140
  }  // namespace mozilla::dom
  
  #endif  // mozilla_dom_WebCryptoTask_h
-diff -up firefox-140.0/dom/media/webrtc/components.conf.D225034.1750779491 firefox-140.0/dom/media/webrtc/components.conf
---- firefox-140.0/dom/media/webrtc/components.conf.D225034.1750779491	2025-06-26 12:14:42.300775330 +0200
-+++ firefox-140.0/dom/media/webrtc/components.conf	2025-06-26 12:14:42.300775330 +0200
+diff -up firefox-128.2.0/dom/media/webrtc/components.conf.webrtc firefox-128.2.0/dom/media/webrtc/components.conf
+--- firefox-128.2.0/dom/media/webrtc/components.conf.webrtc	2024-09-30 21:41:07.649369081 +0200
++++ firefox-128.2.0/dom/media/webrtc/components.conf	2024-09-30 21:41:07.649369081 +0200
 @@ -0,0 +1,14 @@
 +# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
 +# vim: set filetype=python:
@@ -195,9 +195,9 @@ diff -up firefox-140.0/dom/media/webrtc/components.conf.D225034.1750779491 firef
 +        'constructor': 'mozilla::dom::NewRTCCertService',
 +    },
 +]
-diff -up firefox-140.0/dom/media/webrtc/jsapi/MediaTransportHandler.cpp.D225034.1750779491 firefox-140.0/dom/media/webrtc/jsapi/MediaTransportHandler.cpp
---- firefox-140.0/dom/media/webrtc/jsapi/MediaTransportHandler.cpp.D225034.1750779491	2025-06-17 18:15:13.000000000 +0200
-+++ firefox-140.0/dom/media/webrtc/jsapi/MediaTransportHandler.cpp	2025-06-26 12:14:42.301060154 +0200
+diff -up firefox-128.2.0/dom/media/webrtc/jsapi/MediaTransportHandler.cpp.webrtc firefox-128.2.0/dom/media/webrtc/jsapi/MediaTransportHandler.cpp
+--- firefox-128.2.0/dom/media/webrtc/jsapi/MediaTransportHandler.cpp.webrtc	2024-08-26 16:23:34.000000000 +0200
++++ firefox-128.2.0/dom/media/webrtc/jsapi/MediaTransportHandler.cpp	2024-09-30 21:41:07.649369081 +0200
 @@ -104,13 +104,15 @@ class MediaTransportHandlerSTS : public
                           // via IPC anymore
                           const nsTArray<NrIceStunAddr>& aStunAddrs) override;
@@ -221,7 +221,7 @@ diff -up firefox-140.0/dom/media/webrtc/jsapi/MediaTransportHandler.cpp.D225034.
  
    void RemoveTransportsExcept(
        const std::set<std::string>& aTransportIds) override;
-@@ -804,14 +806,13 @@ void MediaTransportHandlerSTS::ActivateT
+@@ -799,14 +801,13 @@ void MediaTransportHandlerSTS::ActivateT
      const std::string& aTransportId, const std::string& aLocalUfrag,
      const std::string& aLocalPwd, size_t aComponentCount,
      const std::string& aUfrag, const std::string& aPassword,
@@ -239,7 +239,7 @@ diff -up firefox-140.0/dom/media/webrtc/jsapi/MediaTransportHandler.cpp.D225034.
         self = RefPtr<MediaTransportHandlerSTS>(this)]() {
          if (!mIceCtx) {
            return;  // Probably due to XPCOM shutdown
-@@ -819,7 +820,7 @@ void MediaTransportHandlerSTS::ActivateT
+@@ -814,7 +815,7 @@ void MediaTransportHandlerSTS::ActivateT
  
          MOZ_ASSERT(aComponentCount);
          RefPtr<DtlsIdentity> dtlsIdentity(
@@ -248,9 +248,9 @@ diff -up firefox-140.0/dom/media/webrtc/jsapi/MediaTransportHandler.cpp.D225034.
          if (!dtlsIdentity) {
            MOZ_ASSERT(false);
            return;
-diff -up firefox-140.0/dom/media/webrtc/jsapi/MediaTransportHandler.h.D225034.1750779491 firefox-140.0/dom/media/webrtc/jsapi/MediaTransportHandler.h
---- firefox-140.0/dom/media/webrtc/jsapi/MediaTransportHandler.h.D225034.1750779491	2025-06-17 18:15:13.000000000 +0200
-+++ firefox-140.0/dom/media/webrtc/jsapi/MediaTransportHandler.h	2025-06-26 12:14:42.301442663 +0200
+diff -up firefox-128.2.0/dom/media/webrtc/jsapi/MediaTransportHandler.h.webrtc firefox-128.2.0/dom/media/webrtc/jsapi/MediaTransportHandler.h
+--- firefox-128.2.0/dom/media/webrtc/jsapi/MediaTransportHandler.h.webrtc	2024-08-26 16:23:34.000000000 +0200
++++ firefox-128.2.0/dom/media/webrtc/jsapi/MediaTransportHandler.h	2024-09-30 21:41:07.650369114 +0200
 @@ -98,8 +98,8 @@ class MediaTransportHandler {
        const std::string& aTransportId, const std::string& aLocalUfrag,
        const std::string& aLocalPwd, size_t aComponentCount,
@@ -262,9 +262,9 @@ diff -up firefox-140.0/dom/media/webrtc/jsapi/MediaTransportHandler.h.D225034.17
        bool aPrivacyRequested) = 0;
  
    virtual void RemoveTransportsExcept(
-diff -up firefox-140.0/dom/media/webrtc/jsapi/MediaTransportHandlerIPC.cpp.D225034.1750779491 firefox-140.0/dom/media/webrtc/jsapi/MediaTransportHandlerIPC.cpp
---- firefox-140.0/dom/media/webrtc/jsapi/MediaTransportHandlerIPC.cpp.D225034.1750779491	2025-06-17 18:15:13.000000000 +0200
-+++ firefox-140.0/dom/media/webrtc/jsapi/MediaTransportHandlerIPC.cpp	2025-06-26 12:14:42.301675179 +0200
+diff -up firefox-128.2.0/dom/media/webrtc/jsapi/MediaTransportHandlerIPC.cpp.webrtc firefox-128.2.0/dom/media/webrtc/jsapi/MediaTransportHandlerIPC.cpp
+--- firefox-128.2.0/dom/media/webrtc/jsapi/MediaTransportHandlerIPC.cpp.webrtc	2024-08-26 16:23:34.000000000 +0200
++++ firefox-128.2.0/dom/media/webrtc/jsapi/MediaTransportHandlerIPC.cpp	2024-09-30 21:41:07.650369114 +0200
 @@ -269,17 +269,16 @@ void MediaTransportHandlerIPC::ActivateT
      const std::string& aTransportId, const std::string& aLocalUfrag,
      const std::string& aLocalPwd, size_t aComponentCount,
@@ -287,9 +287,9 @@ diff -up firefox-140.0/dom/media/webrtc/jsapi/MediaTransportHandlerIPC.cpp.D2250
                                          aDigests, aPrivacyRequested);
          }
        },
-diff -up firefox-140.0/dom/media/webrtc/jsapi/MediaTransportHandlerIPC.h.D225034.1750779491 firefox-140.0/dom/media/webrtc/jsapi/MediaTransportHandlerIPC.h
---- firefox-140.0/dom/media/webrtc/jsapi/MediaTransportHandlerIPC.h.D225034.1750779491	2025-06-17 18:15:13.000000000 +0200
-+++ firefox-140.0/dom/media/webrtc/jsapi/MediaTransportHandlerIPC.h	2025-06-26 12:14:42.301923105 +0200
+diff -up firefox-128.2.0/dom/media/webrtc/jsapi/MediaTransportHandlerIPC.h.webrtc firefox-128.2.0/dom/media/webrtc/jsapi/MediaTransportHandlerIPC.h
+--- firefox-128.2.0/dom/media/webrtc/jsapi/MediaTransportHandlerIPC.h.webrtc	2024-08-26 16:23:34.000000000 +0200
++++ firefox-128.2.0/dom/media/webrtc/jsapi/MediaTransportHandlerIPC.h	2024-09-30 21:41:07.650369114 +0200
 @@ -49,13 +49,15 @@ class MediaTransportHandlerIPC final : p
                           // this up internally
                           const nsTArray<NrIceStunAddr>& aStunAddrs) override;
@@ -313,9 +313,9 @@ diff -up firefox-140.0/dom/media/webrtc/jsapi/MediaTransportHandlerIPC.h.D225034
  
    void RemoveTransportsExcept(
        const std::set<std::string>& aTransportIds) override;
-diff -up firefox-140.0/dom/media/webrtc/jsapi/MediaTransportParent.cpp.D225034.1750779491 firefox-140.0/dom/media/webrtc/jsapi/MediaTransportParent.cpp
---- firefox-140.0/dom/media/webrtc/jsapi/MediaTransportParent.cpp.D225034.1750779491	2025-06-17 18:15:13.000000000 +0200
-+++ firefox-140.0/dom/media/webrtc/jsapi/MediaTransportParent.cpp	2025-06-26 12:14:42.302133961 +0200
+diff -up firefox-128.2.0/dom/media/webrtc/jsapi/MediaTransportParent.cpp.webrtc firefox-128.2.0/dom/media/webrtc/jsapi/MediaTransportParent.cpp
+--- firefox-128.2.0/dom/media/webrtc/jsapi/MediaTransportParent.cpp.webrtc	2024-08-26 16:23:34.000000000 +0200
++++ firefox-128.2.0/dom/media/webrtc/jsapi/MediaTransportParent.cpp	2024-09-30 21:41:07.650369114 +0200
 @@ -174,12 +174,12 @@ mozilla::ipc::IPCResult MediaTransportPa
  mozilla::ipc::IPCResult MediaTransportParent::RecvActivateTransport(
      const string& transportId, const string& localUfrag, const string& localPwd,
@@ -333,10 +333,10 @@ diff -up firefox-140.0/dom/media/webrtc/jsapi/MediaTransportParent.cpp.D225034.1
        privacyRequested);
    return ipc::IPCResult::Ok();
  }
-diff -up firefox-140.0/dom/media/webrtc/jsapi/PeerConnectionImpl.cpp.D225034.1750779491 firefox-140.0/dom/media/webrtc/jsapi/PeerConnectionImpl.cpp
---- firefox-140.0/dom/media/webrtc/jsapi/PeerConnectionImpl.cpp.D225034.1750779491	2025-06-17 18:15:13.000000000 +0200
-+++ firefox-140.0/dom/media/webrtc/jsapi/PeerConnectionImpl.cpp	2025-06-26 12:14:42.302823315 +0200
-@@ -4320,9 +4320,8 @@ void PeerConnectionImpl::UpdateTransport
+diff -up firefox-128.2.0/dom/media/webrtc/jsapi/PeerConnectionImpl.cpp.webrtc firefox-128.2.0/dom/media/webrtc/jsapi/PeerConnectionImpl.cpp
+--- firefox-128.2.0/dom/media/webrtc/jsapi/PeerConnectionImpl.cpp.webrtc	2024-08-26 16:23:35.000000000 +0200
++++ firefox-128.2.0/dom/media/webrtc/jsapi/PeerConnectionImpl.cpp	2024-09-30 21:41:07.650369114 +0200
+@@ -4353,9 +4353,8 @@ void PeerConnectionImpl::UpdateTransport
          candidates.end());
    }
  
@@ -348,7 +348,7 @@ diff -up firefox-140.0/dom/media/webrtc/jsapi/PeerConnectionImpl.cpp.D225034.175
    if (NS_FAILED(rv)) {
      CSFLogError(LOGTAG, "%s: Failed to serialize DTLS identity: %d",
                  __FUNCTION__, (int)rv);
-@@ -4338,7 +4337,7 @@ void PeerConnectionImpl::UpdateTransport
+@@ -4371,7 +4370,7 @@ void PeerConnectionImpl::UpdateTransport
  
    mTransportHandler->ActivateTransport(
        transport.mTransportId, transport.mLocalUfrag, transport.mLocalPwd,
@@ -357,9 +357,9 @@ diff -up firefox-140.0/dom/media/webrtc/jsapi/PeerConnectionImpl.cpp.D225034.175
        transport.mDtls->GetRole() == JsepDtlsTransport::kJsepDtlsClient, digests,
        PrivacyRequested());
  
-diff -up firefox-140.0/dom/media/webrtc/MediaTransportParent.h.D225034.1750779491 firefox-140.0/dom/media/webrtc/MediaTransportParent.h
---- firefox-140.0/dom/media/webrtc/MediaTransportParent.h.D225034.1750779491	2025-06-17 18:15:13.000000000 +0200
-+++ firefox-140.0/dom/media/webrtc/MediaTransportParent.h	2025-06-26 12:14:42.303449191 +0200
+diff -up firefox-128.2.0/dom/media/webrtc/MediaTransportParent.h.webrtc firefox-128.2.0/dom/media/webrtc/MediaTransportParent.h
+--- firefox-128.2.0/dom/media/webrtc/MediaTransportParent.h.webrtc	2024-08-26 16:23:34.000000000 +0200
++++ firefox-128.2.0/dom/media/webrtc/MediaTransportParent.h	2024-09-30 21:41:07.648369048 +0200
 @@ -40,9 +40,9 @@ class MediaTransportParent : public dom:
        const string& transportId, const string& localUfrag,
        const string& localPwd, const int& componentCount,
@@ -373,9 +373,9 @@ diff -up firefox-140.0/dom/media/webrtc/MediaTransportParent.h.D225034.175077949
    mozilla::ipc::IPCResult RecvRemoveTransportsExcept(
        const StringVector& transportIds);
    mozilla::ipc::IPCResult RecvStartIceChecks(const bool& isControlling,
-diff -up firefox-140.0/dom/media/webrtc/moz.build.D225034.1750779491 firefox-140.0/dom/media/webrtc/moz.build
---- firefox-140.0/dom/media/webrtc/moz.build.D225034.1750779491	2025-06-17 18:15:14.000000000 +0200
-+++ firefox-140.0/dom/media/webrtc/moz.build	2025-06-26 12:14:42.303672821 +0200
+diff -up firefox-128.2.0/dom/media/webrtc/moz.build.webrtc firefox-128.2.0/dom/media/webrtc/moz.build
+--- firefox-128.2.0/dom/media/webrtc/moz.build.webrtc	2024-08-26 16:23:34.000000000 +0200
++++ firefox-128.2.0/dom/media/webrtc/moz.build	2024-09-30 21:41:07.650369114 +0200
 @@ -41,6 +41,18 @@ SOURCES += [
      "CubebDeviceEnumerator.cpp",
  ]
@@ -407,7 +407,7 @@ diff -up firefox-140.0/dom/media/webrtc/moz.build.D225034.1750779491 firefox-140
          "RTCIdentityProviderRegistrar.cpp",
      ]
      # MediaEngineWebRTC.cpp needs to be built separately.
-@@ -111,7 +127,11 @@ EXPORTS.mozilla += [
+@@ -113,7 +129,11 @@ EXPORTS.mozilla += [
      "PeerIdentity.h",
  ]
  EXPORTS.mozilla.dom += [
@@ -419,9 +419,9 @@ diff -up firefox-140.0/dom/media/webrtc/moz.build.D225034.1750779491 firefox-140
  ]
  
  include("/ipc/chromium/chromium-config.mozbuild")
-diff -up firefox-140.0/dom/media/webrtc/nsIRTCCertService.idl.D225034.1750779491 firefox-140.0/dom/media/webrtc/nsIRTCCertService.idl
---- firefox-140.0/dom/media/webrtc/nsIRTCCertService.idl.D225034.1750779491	2025-06-26 12:14:42.303932017 +0200
-+++ firefox-140.0/dom/media/webrtc/nsIRTCCertService.idl	2025-06-26 12:14:42.303932017 +0200
+diff -up firefox-128.2.0/dom/media/webrtc/nsIRTCCertService.idl.webrtc firefox-128.2.0/dom/media/webrtc/nsIRTCCertService.idl
+--- firefox-128.2.0/dom/media/webrtc/nsIRTCCertService.idl.webrtc	2024-09-30 21:41:07.651369147 +0200
++++ firefox-128.2.0/dom/media/webrtc/nsIRTCCertService.idl	2024-09-30 21:41:07.650369114 +0200
 @@ -0,0 +1,34 @@
 +/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
 +/* This Source Code Form is subject to the terms of the Mozilla Public
@@ -457,9 +457,9 @@ diff -up firefox-140.0/dom/media/webrtc/nsIRTCCertService.idl.D225034.1750779491
 +    // Get cert
 +    [notxpcom, nostdcall] RTCCertificatePromise getCertificate([const] in CertFingerprint aCertFingerprint);
 +};
-diff -up firefox-140.0/dom/media/webrtc/PMediaTransport.ipdl.D225034.1750779491 firefox-140.0/dom/media/webrtc/PMediaTransport.ipdl
---- firefox-140.0/dom/media/webrtc/PMediaTransport.ipdl.D225034.1750779491	2025-06-17 18:15:13.000000000 +0200
-+++ firefox-140.0/dom/media/webrtc/PMediaTransport.ipdl	2025-06-26 12:14:42.304154235 +0200
+diff -up firefox-128.2.0/dom/media/webrtc/PMediaTransport.ipdl.webrtc firefox-128.2.0/dom/media/webrtc/PMediaTransport.ipdl
+--- firefox-128.2.0/dom/media/webrtc/PMediaTransport.ipdl.webrtc	2024-08-26 16:23:35.000000000 +0200
++++ firefox-128.2.0/dom/media/webrtc/PMediaTransport.ipdl	2024-09-30 21:41:07.648369048 +0200
 @@ -62,8 +62,7 @@ parent:
                            int componentCount,
                            string remoteUfrag,
@@ -470,9 +470,9 @@ diff -up firefox-140.0/dom/media/webrtc/PMediaTransport.ipdl.D225034.1750779491
                            int authType,
                            bool dtlsClient,
                            DtlsDigestList digests,
-diff -up firefox-140.0/dom/media/webrtc/PRTCCertServiceTransaction.ipdl.D225034.1750779491 firefox-140.0/dom/media/webrtc/PRTCCertServiceTransaction.ipdl
---- firefox-140.0/dom/media/webrtc/PRTCCertServiceTransaction.ipdl.D225034.1750779491	2025-06-26 12:14:42.304369078 +0200
-+++ firefox-140.0/dom/media/webrtc/PRTCCertServiceTransaction.ipdl	2025-06-26 12:14:42.304369078 +0200
+diff -up firefox-128.2.0/dom/media/webrtc/PRTCCertServiceTransaction.ipdl.webrtc firefox-128.2.0/dom/media/webrtc/PRTCCertServiceTransaction.ipdl
+--- firefox-128.2.0/dom/media/webrtc/PRTCCertServiceTransaction.ipdl.webrtc	2024-09-30 21:41:07.648369048 +0200
++++ firefox-128.2.0/dom/media/webrtc/PRTCCertServiceTransaction.ipdl	2024-09-30 21:41:07.648369048 +0200
 @@ -0,0 +1,33 @@
 +/* This Source Code Form is subject to the terms of the Mozilla Public
 + * License, v. 2.0. If a copy of the MPL was not distributed with this file,
@@ -507,9 +507,9 @@ diff -up firefox-140.0/dom/media/webrtc/PRTCCertServiceTransaction.ipdl.D225034.
 +
 +}
 +}
-diff -up firefox-140.0/dom/media/webrtc/RTCCertCache.cpp.D225034.1750779491 firefox-140.0/dom/media/webrtc/RTCCertCache.cpp
---- firefox-140.0/dom/media/webrtc/RTCCertCache.cpp.D225034.1750779491	2025-06-26 12:14:42.304591095 +0200
-+++ firefox-140.0/dom/media/webrtc/RTCCertCache.cpp	2025-06-26 12:14:42.304591095 +0200
+diff -up firefox-128.2.0/dom/media/webrtc/RTCCertCache.cpp.webrtc firefox-128.2.0/dom/media/webrtc/RTCCertCache.cpp
+--- firefox-128.2.0/dom/media/webrtc/RTCCertCache.cpp.webrtc	2024-09-30 21:41:07.648369048 +0200
++++ firefox-128.2.0/dom/media/webrtc/RTCCertCache.cpp	2024-09-30 21:41:07.648369048 +0200
 @@ -0,0 +1,48 @@
 +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
 +/* vim: set ts=8 sts=2 et sw=2 tw=80: */
@@ -559,9 +559,9 @@ diff -up firefox-140.0/dom/media/webrtc/RTCCertCache.cpp.D225034.1750779491 fire
 +}
 +
 +}  // namespace mozilla::dom
-diff -up firefox-140.0/dom/media/webrtc/RTCCertCache.h.D225034.1750779491 firefox-140.0/dom/media/webrtc/RTCCertCache.h
---- firefox-140.0/dom/media/webrtc/RTCCertCache.h.D225034.1750779491	2025-06-26 12:14:42.304801480 +0200
-+++ firefox-140.0/dom/media/webrtc/RTCCertCache.h	2025-06-26 12:14:42.304801480 +0200
+diff -up firefox-128.2.0/dom/media/webrtc/RTCCertCache.h.webrtc firefox-128.2.0/dom/media/webrtc/RTCCertCache.h
+--- firefox-128.2.0/dom/media/webrtc/RTCCertCache.h.webrtc	2024-09-30 21:41:07.648369048 +0200
++++ firefox-128.2.0/dom/media/webrtc/RTCCertCache.h	2024-09-30 21:41:07.648369048 +0200
 @@ -0,0 +1,36 @@
 +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
 +/* vim: set ts=8 sts=2 et sw=2 tw=80: */
@@ -599,9 +599,9 @@ diff -up firefox-140.0/dom/media/webrtc/RTCCertCache.h.D225034.1750779491 firefo
 +}  // namespace mozilla::dom
 +
 +#endif  // mozilla_dom_CertCache_h
-diff -up firefox-140.0/dom/media/webrtc/RTCCertificate.cpp.D225034.1750779491 firefox-140.0/dom/media/webrtc/RTCCertificate.cpp
---- firefox-140.0/dom/media/webrtc/RTCCertificate.cpp.D225034.1750779491	2025-06-17 18:15:14.000000000 +0200
-+++ firefox-140.0/dom/media/webrtc/RTCCertificate.cpp	2025-06-26 12:38:54.418795430 +0200
+diff -up firefox-128.2.0/dom/media/webrtc/RTCCertificate.cpp.webrtc firefox-128.2.0/dom/media/webrtc/RTCCertificate.cpp
+--- firefox-128.2.0/dom/media/webrtc/RTCCertificate.cpp.webrtc	2024-08-26 16:23:35.000000000 +0200
++++ firefox-128.2.0/dom/media/webrtc/RTCCertificate.cpp	2024-09-30 21:41:07.649369081 +0200
 @@ -25,13 +25,12 @@
  #include "mozilla/UniquePtr.h"
  #include "mozilla/dom/BindingDeclarations.h"
@@ -624,8 +624,8 @@ diff -up firefox-140.0/dom/media/webrtc/RTCCertificate.cpp.D225034.1750779491 fi
 +#include "nsServiceManagerUtils.h"
  #include "pk11pub.h"
  #include "plarena.h"
- #include "sdp/SdpAttribute.h"
-@@ -72,196 +72,10 @@ NS_INTERFACE_MAP_END
+ #include "secasn1.h"
+@@ -71,271 +71,203 @@ NS_INTERFACE_MAP_END
    PRTime(PR_USEC_PER_SEC) * PRTime(60)  /*sec*/ \
        * PRTime(60) /*min*/ * PRTime(24) /*hours*/
  #define EXPIRATION_DEFAULT ONE_DAY* PRTime(30)
@@ -652,7 +652,15 @@ diff -up firefox-140.0/dom/media/webrtc/RTCCertificate.cpp.D225034.1750779491 fi
 -      // certificate". This catches these cases.
 -      mEarlyRv = NS_ERROR_DOM_NOT_SUPPORTED_ERR;
 -    }
--  }
++static PRTime ReadExpires(JSContext* aCx, const ObjectOrString& aOptions,
++                          ErrorResult& aRv) {
++  // This conversion might fail, but we don't really care; use the default.
++  // If this isn't an object, or it doesn't coerce into the right type,
++  // then we won't get the |expires| value.  Either will be caught later.
++  RTCCertificateExpiration expiration;
++  if (!aOptions.IsObject()) {
++    return EXPIRATION_DEFAULT;
+   }
 -
 - private:
 -  PRTime mExpires;
@@ -676,8 +684,12 @@ diff -up firefox-140.0/dom/media/webrtc/RTCCertificate.cpp.D225034.1750779491 fi
 -    buf[sizeof(buf) - 1] = '\0';
 -
 -    return CERT_AsciiToName(buf);
--  }
--
++  JS::Rooted<JS::Value> value(aCx, JS::ObjectValue(*aOptions.GetAsObject()));
++  if (!expiration.Init(aCx, value)) {
++    aRv.NoteJSContextException(aCx);
++    return 0;
+   }
+ 
 -  nsresult GenerateCertificate() {
 -    UniquePK11SlotInfo slot(PK11_GetInternalSlot());
 -    MOZ_ASSERT(slot.get());
@@ -686,38 +698,77 @@ diff -up firefox-140.0/dom/media/webrtc/RTCCertificate.cpp.D225034.1750779491 fi
 -    if (!subjectName) {
 -      return NS_ERROR_DOM_UNKNOWN_ERR;
 -    }
--
++  if (!expiration.mExpires.WasPassed()) {
++    return EXPIRATION_DEFAULT;
++  }
++  static const uint64_t max =
++      static_cast<uint64_t>(EXPIRATION_MAX / PR_USEC_PER_MSEC);
++  if (expiration.mExpires.Value() > max) {
++    return EXPIRATION_MAX;
++  }
++  return static_cast<PRTime>(expiration.mExpires.Value() * PR_USEC_PER_MSEC);
++}
+ 
 -    UniqueSECKEYPublicKey publicKey(mKeyPair->mPublicKey->GetPublicKey());
 -    UniqueCERTSubjectPublicKeyInfo spki(
 -        SECKEY_CreateSubjectPublicKeyInfo(publicKey.get()));
 -    if (!spki) {
 -      return NS_ERROR_DOM_UNKNOWN_ERR;
 -    }
--
++RTCCertificateMetadata::RTCCertificateMetadata()
++    : mExpires(0),
++      mSignatureAlg(SEC_OID_UNKNOWN),
++      mMechanism(CKM_INVALID_MECHANISM),
++      mRsaParams() {}
++
++nsresult RTCCertificateMetadata::Init(JSContext* aCx,
++                                      const ObjectOrString& aAlgorithm,
++                                      SSLKEAType* aAuthType, ErrorResult& aRv) {
++  mExpires = ReadExpires(aCx, aAlgorithm, aRv);
++  if (aRv.Failed()) {
++    return NS_ERROR_DOM_UNKNOWN_ERR;
++  }
+ 
 -    UniqueCERTCertificateRequest certreq(
 -        CERT_CreateCertificateRequest(subjectName.get(), spki.get(), nullptr));
 -    if (!certreq) {
 -      return NS_ERROR_DOM_UNKNOWN_ERR;
 -    }
--
++  mArena = UniquePLArenaPool(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
++  if (!mArena) {
++    return NS_ERROR_DOM_UNKNOWN_ERR;
++  }
+ 
 -    PRTime now = PR_Now();
 -    PRTime notBefore = now - EXPIRATION_SLACK;
 -    mExpires += now;
--
++  // Extract algorithm name
++  nsresult rv = GetAlgorithmName(aCx, aAlgorithm, mAlgName);
++  NS_ENSURE_SUCCESS(rv, NS_ERROR_DOM_NOT_SUPPORTED_ERR);
+ 
 -    UniqueCERTValidity validity(CERT_CreateValidity(notBefore, mExpires));
 -    if (!validity) {
 -      return NS_ERROR_DOM_UNKNOWN_ERR;
 -    }
--
++  // Construct an appropriate KeyAlorithm
++  if (mAlgName.EqualsLiteral(WEBCRYPTO_ALG_RSASSA_PKCS1)) {
++    RootedDictionary<RsaHashedKeyGenParams> params(aCx);
++    rv = Coerce(aCx, params, aAlgorithm);
++    NS_ENSURE_SUCCESS(rv, NS_ERROR_DOM_SYNTAX_ERR);
+ 
 -    unsigned long serial;
 -    // Note: This serial in principle could collide, but it's unlikely, and we
 -    // don't expect anyone to be validating certificates anyway.
 -    SECStatus rv = PK11_GenerateRandomOnSlot(
 -        slot.get(), reinterpret_cast<unsigned char*>(&serial), sizeof(serial));
 -    if (rv != SECSuccess) {
--      return NS_ERROR_DOM_UNKNOWN_ERR;
--    }
--
++    // Pull relevant info
++    uint32_t modulusLength = params.mModulusLength;
++    CryptoBuffer publicExponent;
++    if (!publicExponent.Assign(params.mPublicExponent)) {
+       return NS_ERROR_DOM_UNKNOWN_ERR;
+     }
+ 
 -    // NB: CERTCertificates created with CERT_CreateCertificate are not safe to
 -    // use with other NSS functions like CERT_DupCertificate.  The strategy
 -    // here is to create a tbsCertificate ("to-be-signed certificate"), encode
@@ -727,17 +778,28 @@ diff -up firefox-140.0/dom/media/webrtc/RTCCertificate.cpp.D225034.1750779491 fi
 -        serial, subjectName.get(), validity.get(), certreq.get()));
 -    if (!tbsCertificate) {
 -      return NS_ERROR_DOM_UNKNOWN_ERR;
--    }
--
++    nsString hashName;
++    rv = GetAlgorithmName(aCx, params.mHash, hashName);
++    NS_ENSURE_SUCCESS(rv, rv);
++    if (!hashName.EqualsLiteral(WEBCRYPTO_ALG_SHA256)) {
++      return NS_ERROR_DOM_NOT_SUPPORTED_ERR;
+     }
+ 
 -    MOZ_ASSERT(mSignatureAlg != SEC_OID_UNKNOWN);
 -    PLArenaPool* arena = tbsCertificate->arena;
--
++    mMechanism = CKM_RSA_PKCS_KEY_PAIR_GEN;
+ 
 -    rv = SECOID_SetAlgorithmID(arena, &tbsCertificate->signature, mSignatureAlg,
 -                               nullptr);
 -    if (rv != SECSuccess) {
 -      return NS_ERROR_DOM_UNKNOWN_ERR;
--    }
--
++    // Set up params struct
++    mRsaParams.keySizeInBits = modulusLength;
++    bool converted = publicExponent.GetBigIntValue(mRsaParams.pe);
++    if (!converted) {
++      return NS_ERROR_DOM_INVALID_ACCESS_ERR;
+     }
+ 
 -    // Set version to X509v3.
 -    *(tbsCertificate->version.data) = SEC_CERTIFICATE_VERSION_3;
 -    tbsCertificate->version.len = 1;
@@ -746,25 +808,37 @@ diff -up firefox-140.0/dom/media/webrtc/RTCCertificate.cpp.D225034.1750779491 fi
 -    if (!SEC_ASN1EncodeItem(arena, &innerDER, tbsCertificate.get(),
 -                            SEC_ASN1_GET(CERT_CertificateTemplate))) {
 -      return NS_ERROR_DOM_UNKNOWN_ERR;
--    }
--
++    auto sz = static_cast<size_t>(mRsaParams.keySizeInBits);
++    if (sz < RTCCertificateMinRsaSize) {
++      return NS_ERROR_DOM_NOT_SUPPORTED_ERR;
+     }
+ 
 -    SECItem* certDer = PORT_ArenaZNew(arena, SECItem);
 -    if (!certDer) {
 -      return NS_ERROR_DOM_UNKNOWN_ERR;
 -    }
--
++    SerializeRSAParam(&mParam, &mRsaParams);
+ 
 -    UniqueSECKEYPrivateKey privateKey(mKeyPair->mPrivateKey->GetPrivateKey());
 -    rv = SEC_DerSignData(arena, certDer, innerDER.data, innerDER.len,
 -                         privateKey.get(), mSignatureAlg);
 -    if (rv != SECSuccess) {
 -      return NS_ERROR_DOM_UNKNOWN_ERR;
 -    }
--
++    mSignatureAlg = SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION;
++    *aAuthType = ssl_kea_rsa;
++  } else if (mAlgName.EqualsLiteral(WEBCRYPTO_ALG_ECDSA)) {
++    RootedDictionary<EcKeyGenParams> params(aCx);
++    rv = Coerce(aCx, params, aAlgorithm);
++    NS_ENSURE_SUCCESS(rv, NS_ERROR_DOM_SYNTAX_ERR);
+ 
 -    mCertificate.reset(CERT_NewTempCertificate(CERT_GetDefaultCertDB(), certDer,
 -                                               nullptr, false, true));
 -    if (!mCertificate) {
 -      return NS_ERROR_DOM_UNKNOWN_ERR;
--    }
++    if (!NormalizeToken(params.mNamedCurve, mNamedCurve)) {
++      return NS_ERROR_DOM_NOT_SUPPORTED_ERR;
+     }
 -    return NS_OK;
 -  }
 -
@@ -792,11 +866,14 @@ diff -up firefox-140.0/dom/media/webrtc/RTCCertificate.cpp.D225034.1750779491 fi
 -      mSignatureAlg = SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE;
 -      mAuthType = ssl_kea_ecdh;
 -    } else {
--      return NS_ERROR_DOM_NOT_SUPPORTED_ERR;
--    }
++    mMechanism = CKM_EC_KEY_PAIR_GEN;
++    if (!SerializeECParams(&mParam,
++                           CreateECParamsForCurve(mNamedCurve, mArena.get()))) {
+       return NS_ERROR_DOM_NOT_SUPPORTED_ERR;
+     }
 -    return NS_OK;
 -  }
--
+ 
 -  nsresult DoCrypto() override {
 -    nsresult rv = GenerateAsymmetricKeyTask::DoCrypto();
 -    NS_ENSURE_SUCCESS(rv, rv);
@@ -805,8 +882,14 @@ diff -up firefox-140.0/dom/media/webrtc/RTCCertificate.cpp.D225034.1750779491 fi
 -    NS_ENSURE_SUCCESS(rv, rv);
 -
 -    return NS_OK;
--  }
--
++    // We only support good curves in WebCrypto.
++    // If that ever changes, check that a good one was chosen.
++    mSignatureAlg = SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE;
++    *aAuthType = ssl_kea_ecdh;
++  } else {
++    return NS_ERROR_DOM_NOT_SUPPORTED_ERR;
+   }
+ 
 -  virtual void Resolve() override {
 -    // Make copies of the private key and certificate, otherwise, when this
 -    // object is deleted, the structures they reference will be deleted too.
@@ -819,104 +902,39 @@ diff -up firefox-140.0/dom/media/webrtc/RTCCertificate.cpp.D225034.1750779491 fi
 -  }
 -};
 -
- static PRTime ReadExpires(JSContext* aCx, const ObjectOrString& aOptions,
-                           ErrorResult& aRv) {
-   // This conversion might fail, but we don't really care; use the default.
-@@ -288,46 +102,166 @@ static PRTime ReadExpires(JSContext* aCx
-   return static_cast<PRTime>(expiration.mExpires.Value() * PR_USEC_PER_MSEC);
- }
- 
--already_AddRefed<Promise> RTCCertificate::GenerateCertificate(
-+RTCCertificateMetadata::RTCCertificateMetadata()
-+    : mExpires(0),
-+      mSignatureAlg(SEC_OID_UNKNOWN),
-+      mMechanism(CKM_INVALID_MECHANISM),
-+      mRsaParams() {}
-+
-+nsresult RTCCertificateMetadata::Init(JSContext* aCx,
-+                                      const ObjectOrString& aAlgorithm,
-+                                      SSLKEAType* aAuthType, ErrorResult& aRv) {
-+  mExpires = ReadExpires(aCx, aAlgorithm, aRv);
-+  if (aRv.Failed()) {
-+    return NS_ERROR_DOM_UNKNOWN_ERR;
-+  }
-+
-+  mArena = UniquePLArenaPool(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
-+  if (!mArena) {
-+    return NS_ERROR_DOM_UNKNOWN_ERR;
-+  }
-+
-+  // Extract algorithm name
-+  nsresult rv = GetAlgorithmName(aCx, aAlgorithm, mAlgName);
-+  NS_ENSURE_SUCCESS(rv, NS_ERROR_DOM_NOT_SUPPORTED_ERR);
-+
-+  // Construct an appropriate KeyAlorithm
-+  if (mAlgName.EqualsLiteral(WEBCRYPTO_ALG_RSASSA_PKCS1)) {
-+    RootedDictionary<RsaHashedKeyGenParams> params(aCx);
-+    rv = Coerce(aCx, params, aAlgorithm);
-+    NS_ENSURE_SUCCESS(rv, NS_ERROR_DOM_SYNTAX_ERR);
-+  
-+    // Pull relevant info
-+    uint32_t modulusLength = params.mModulusLength;
-+    CryptoBuffer publicExponent;
-+    if (!publicExponent.Assign(params.mPublicExponent)) {
-+
-+      return NS_ERROR_DOM_UNKNOWN_ERR;
-+    }
-+
-+    nsString hashName;
-+    rv = GetAlgorithmName(aCx, params.mHash, hashName);
-+    NS_ENSURE_SUCCESS(rv, rv);
-+    if (!hashName.EqualsLiteral(WEBCRYPTO_ALG_SHA256)) {
-+      return NS_ERROR_DOM_NOT_SUPPORTED_ERR;
-+    }
-+
-+    mMechanism = CKM_RSA_PKCS_KEY_PAIR_GEN;
-+    // Set up params struct
-+    mRsaParams.keySizeInBits = modulusLength;
-+    bool converted = publicExponent.GetBigIntValue(mRsaParams.pe);
-+    if (!converted) {
-+      return NS_ERROR_DOM_INVALID_ACCESS_ERR;
-+    }
-+    
-+    auto sz = static_cast<size_t>(mRsaParams.keySizeInBits);
-+    if (sz < RTCCertificateMinRsaSize) {
-+      return NS_ERROR_DOM_NOT_SUPPORTED_ERR;
-+    }
-+
-+    SerializeRSAParam(&mParam, &mRsaParams);
-+
-+    mSignatureAlg = SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION;
-+    *aAuthType = ssl_kea_rsa;
-+  } else if (mAlgName.EqualsLiteral(WEBCRYPTO_ALG_ECDSA)) {
-+    RootedDictionary<EcKeyGenParams> params(aCx);
-+    rv = Coerce(aCx, params, aAlgorithm);
-+    NS_ENSURE_SUCCESS(rv, NS_ERROR_DOM_SYNTAX_ERR);
-+    if (!NormalizeToken(params.mNamedCurve, mNamedCurve)) {
-+      return NS_ERROR_DOM_NOT_SUPPORTED_ERR;
-+    }
-+    mMechanism = CKM_EC_KEY_PAIR_GEN;
-+    if (!SerializeECParams(&mParam,
-+                           CreateECParamsForCurve(mNamedCurve, mArena.get()))) {
-+      return NS_ERROR_DOM_NOT_SUPPORTED_ERR;
-+    }
-+
-+    // We only support good curves in WebCrypto.
-+    // If that ever changes, check that a good one was chosen.
-+    mSignatureAlg = SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE;
-+    *aAuthType = ssl_kea_ecdh;
-+  } else {
-+    return NS_ERROR_DOM_NOT_SUPPORTED_ERR;
-+  }
+-static PRTime ReadExpires(JSContext* aCx, const ObjectOrString& aOptions,
+-                          ErrorResult& aRv) {
+-  // This conversion might fail, but we don't really care; use the default.
+-  // If this isn't an object, or it doesn't coerce into the right type,
+-  // then we won't get the |expires| value.  Either will be caught later.
+-  RTCCertificateExpiration expiration;
+-  if (!aOptions.IsObject()) {
+-    return EXPIRATION_DEFAULT;
+-  }
+-  JS::Rooted<JS::Value> value(aCx, JS::ObjectValue(*aOptions.GetAsObject()));
+-  if (!expiration.Init(aCx, value)) {
+-    aRv.NoteJSContextException(aCx);
+-    return 0;
+-  }
 +  return NS_OK;
 +}
-+
+ 
+-  if (!expiration.mExpires.WasPassed()) {
+-    return EXPIRATION_DEFAULT;
+-  }
+-  static const uint64_t max =
+-      static_cast<uint64_t>(EXPIRATION_MAX / PR_USEC_PER_MSEC);
+-  if (expiration.mExpires.Value() > max) {
+-    return EXPIRATION_MAX;
+-  }
+-  return static_cast<PRTime>(expiration.mExpires.Value() * PR_USEC_PER_MSEC);
 +RefPtr<RTCCertFingerprintPromise> RTCCertificateMetadata::Generate(
 +    nsCOMPtr<nsIRTCCertService> aCertService) {
 +  return aCertService->GenerateCertificate(mParam, mExpires, mMechanism,
-+                                          mSignatureAlg);
-+}
-+
++                                           mSignatureAlg);
+ }
+ 
+-already_AddRefed<Promise> RTCCertificate::GenerateCertificate(
 +already_AddRefed<Promise> RTCCertificate::Generate(
      const GlobalObject& aGlobal, const ObjectOrString& aOptions,
 -    ErrorResult& aRv, JS::Compartment* aCompartment) {
@@ -941,7 +959,6 @@ diff -up firefox-140.0/dom/media/webrtc/RTCCertificate.cpp.D225034.1750779491 fi
 +    }
      return nullptr;
    }
-+ 
  
 -  PRTime expires = ReadExpires(aGlobal.Context(), aOptions, aRv);
 -  if (aRv.Failed()) {
@@ -1017,11 +1034,6 @@ diff -up firefox-140.0/dom/media/webrtc/RTCCertificate.cpp.D225034.1750779491 fi
 +  */
 +}
  
- void RTCCertificate::GetFingerprints(
-     nsTArray<dom::RTCDtlsFingerprint>& aFingerprintsOut) {
-@@ -357,13 +291,10 @@ void RTCCertificate::GetFingerprints(
- }
- 
  RefPtr<DtlsIdentity> RTCCertificate::CreateDtlsIdentity() const {
 -  if (!mPrivateKey || !mCertificate) {
 +  if (!mCertificate) {
@@ -1035,7 +1047,7 @@ diff -up firefox-140.0/dom/media/webrtc/RTCCertificate.cpp.D225034.1750779491 fi
    return id;
  }
  
-@@ -372,17 +303,10 @@ JSObject* RTCCertificate::WrapObject(JSC
+@@ -344,17 +276,10 @@ JSObject* RTCCertificate::WrapObject(JSC
    return RTCCertificate_Binding::Wrap(aCx, this, aGivenProto);
  }
  
@@ -1057,7 +1069,7 @@ diff -up firefox-140.0/dom/media/webrtc/RTCCertificate.cpp.D225034.1750779491 fi
  }
  
  bool RTCCertificate::WriteCertificate(JSStructuredCloneWriter* aWriter) const {
-@@ -398,27 +322,23 @@ bool RTCCertificate::WriteCertificate(JS
+@@ -370,27 +295,23 @@ bool RTCCertificate::WriteCertificate(JS
  
  bool RTCCertificate::WriteStructuredClone(
      JSContext* aCx, JSStructuredCloneWriter* aWriter) const {
@@ -1092,7 +1104,7 @@ diff -up firefox-140.0/dom/media/webrtc/RTCCertificate.cpp.D225034.1750779491 fi
  }
  
  bool RTCCertificate::ReadCertificate(JSStructuredCloneReader* aReader) {
-@@ -456,7 +376,8 @@ already_AddRefed<RTCCertificate> RTCCert
+@@ -428,7 +349,8 @@ already_AddRefed<RTCCertificate> RTCCert
    }
    cert->mExpires = static_cast<PRTime>(high) << 32 | low;
  
@@ -1102,9 +1114,9 @@ diff -up firefox-140.0/dom/media/webrtc/RTCCertificate.cpp.D225034.1750779491 fi
      return nullptr;
    }
  
-diff -up firefox-140.0/dom/media/webrtc/RTCCertificate.h.D225034.1750779491 firefox-140.0/dom/media/webrtc/RTCCertificate.h
---- firefox-140.0/dom/media/webrtc/RTCCertificate.h.D225034.1750779491	2025-06-17 18:15:13.000000000 +0200
-+++ firefox-140.0/dom/media/webrtc/RTCCertificate.h	2025-06-26 12:42:14.067026422 +0200
+diff -up firefox-128.2.0/dom/media/webrtc/RTCCertificate.h.webrtc firefox-128.2.0/dom/media/webrtc/RTCCertificate.h
+--- firefox-128.2.0/dom/media/webrtc/RTCCertificate.h.webrtc	2024-08-26 16:23:35.000000000 +0200
++++ firefox-128.2.0/dom/media/webrtc/RTCCertificate.h	2024-09-30 21:41:07.649369081 +0200
 @@ -15,7 +15,11 @@
  #include "mozilla/AlreadyAddRefed.h"
  #include "mozilla/Assertions.h"
@@ -1117,11 +1129,10 @@ diff -up firefox-140.0/dom/media/webrtc/RTCCertificate.h.D225034.1750779491 fire
  #include "nsIGlobalObject.h"
  #include "nsISupports.h"
  #include "nsWrapperCache.h"
-@@ -40,6 +44,27 @@ namespace dom {
- class GlobalObject;
+@@ -41,6 +45,26 @@ class GlobalObject;
  class ObjectOrString;
  class Promise;
-+
+ 
 +class RTCCertificateMetadata {
 + public:
 +  RTCCertificateMetadata();
@@ -1142,10 +1153,10 @@ diff -up firefox-140.0/dom/media/webrtc/RTCCertificate.h.D225034.1750779491 fire
 +  nsString mAlgName;
 +};
 +
- struct RTCDtlsFingerprint;
- 
  class RTCCertificate final : public nsISupports, public nsWrapperCache {
-@@ -53,9 +78,6 @@ class RTCCertificate final : public nsIS
+  public:
+   NS_DECL_CYCLE_COLLECTING_ISUPPORTS
+@@ -52,9 +76,6 @@ class RTCCertificate final : public nsIS
        ErrorResult& aRv, JS::Compartment* aCompartment = nullptr);
  
    explicit RTCCertificate(nsIGlobalObject* aGlobal);
@@ -1155,7 +1166,7 @@ diff -up firefox-140.0/dom/media/webrtc/RTCCertificate.h.D225034.1750779491 fire
  
    nsIGlobalObject* GetParentObject() const { return mGlobal; }
    virtual JSObject* WrapObject(JSContext* aCx,
-@@ -78,21 +100,30 @@ class RTCCertificate final : public nsIS
+@@ -76,20 +97,29 @@ class RTCCertificate final : public nsIS
        JSStructuredCloneReader* aReader);
  
   private:
@@ -1186,15 +1197,14 @@ diff -up firefox-140.0/dom/media/webrtc/RTCCertificate.h.D225034.1750779491 fire
    UniqueCERTCertificate mCertificate;
 -  SSLKEAType mAuthType;
 -  PRTime mExpires;
-   nsTArray<RTCDtlsFingerprint> mFingerprints;
 +  SSLKEAType mAuthType = ssl_kea_null;
 +  PRTime mExpires = 0;
  };
  
  }  // namespace dom
-diff -up firefox-140.0/dom/media/webrtc/RTCCertService.cpp.D225034.1750779491 firefox-140.0/dom/media/webrtc/RTCCertService.cpp
---- firefox-140.0/dom/media/webrtc/RTCCertService.cpp.D225034.1750779491	2025-06-26 12:14:42.306004069 +0200
-+++ firefox-140.0/dom/media/webrtc/RTCCertService.cpp	2025-06-26 12:14:42.306004069 +0200
+diff -up firefox-128.2.0/dom/media/webrtc/RTCCertService.cpp.webrtc firefox-128.2.0/dom/media/webrtc/RTCCertService.cpp
+--- firefox-128.2.0/dom/media/webrtc/RTCCertService.cpp.webrtc	2024-09-30 21:41:07.648369048 +0200
++++ firefox-128.2.0/dom/media/webrtc/RTCCertService.cpp	2024-09-30 21:41:07.648369048 +0200
 @@ -0,0 +1,154 @@
 +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
 +/* vim: set ts=8 sts=2 et sw=2 tw=80: */
@@ -1350,9 +1360,9 @@ diff -up firefox-140.0/dom/media/webrtc/RTCCertService.cpp.D225034.1750779491 fi
 +}
 +
 +}  // namespace mozilla::dom
-diff -up firefox-140.0/dom/media/webrtc/RTCCertServiceData.cpp.D225034.1750779491 firefox-140.0/dom/media/webrtc/RTCCertServiceData.cpp
---- firefox-140.0/dom/media/webrtc/RTCCertServiceData.cpp.D225034.1750779491	2025-06-26 12:14:42.306223801 +0200
-+++ firefox-140.0/dom/media/webrtc/RTCCertServiceData.cpp	2025-06-26 12:14:42.306223801 +0200
+diff -up firefox-128.2.0/dom/media/webrtc/RTCCertServiceData.cpp.webrtc firefox-128.2.0/dom/media/webrtc/RTCCertServiceData.cpp
+--- firefox-128.2.0/dom/media/webrtc/RTCCertServiceData.cpp.webrtc	2024-09-30 21:41:07.648369048 +0200
++++ firefox-128.2.0/dom/media/webrtc/RTCCertServiceData.cpp	2024-09-30 21:41:07.648369048 +0200
 @@ -0,0 +1,77 @@
 +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
 +/* vim: set ts=8 sts=2 et sw=2 tw=80: */
@@ -1431,9 +1441,9 @@ diff -up firefox-140.0/dom/media/webrtc/RTCCertServiceData.cpp.D225034.175077949
 +}
 +
 +}  // namespace mozilla::dom
-diff -up firefox-140.0/dom/media/webrtc/RTCCertServiceData.h.D225034.1750779491 firefox-140.0/dom/media/webrtc/RTCCertServiceData.h
---- firefox-140.0/dom/media/webrtc/RTCCertServiceData.h.D225034.1750779491	2025-06-26 12:14:42.306399401 +0200
-+++ firefox-140.0/dom/media/webrtc/RTCCertServiceData.h	2025-06-26 12:14:42.306399401 +0200
+diff -up firefox-128.2.0/dom/media/webrtc/RTCCertServiceData.h.webrtc firefox-128.2.0/dom/media/webrtc/RTCCertServiceData.h
+--- firefox-128.2.0/dom/media/webrtc/RTCCertServiceData.h.webrtc	2024-09-30 21:41:07.649369081 +0200
++++ firefox-128.2.0/dom/media/webrtc/RTCCertServiceData.h	2024-09-30 21:41:07.649369081 +0200
 @@ -0,0 +1,105 @@
 +/* This Source Code Form is subject to the terms of the Mozilla Public
 + * License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -1540,9 +1550,9 @@ diff -up firefox-140.0/dom/media/webrtc/RTCCertServiceData.h.D225034.1750779491
 +}  // namespace mozilla
 +
 +#endif  // mozilla_dom_RTCCertServiceGlobal_h_
-diff -up firefox-140.0/dom/media/webrtc/RTCCertService.h.D225034.1750779491 firefox-140.0/dom/media/webrtc/RTCCertService.h
---- firefox-140.0/dom/media/webrtc/RTCCertService.h.D225034.1750779491	2025-06-26 12:14:42.306588336 +0200
-+++ firefox-140.0/dom/media/webrtc/RTCCertService.h	2025-06-26 12:14:42.306588336 +0200
+diff -up firefox-128.2.0/dom/media/webrtc/RTCCertService.h.webrtc firefox-128.2.0/dom/media/webrtc/RTCCertService.h
+--- firefox-128.2.0/dom/media/webrtc/RTCCertService.h.webrtc	2024-09-30 21:41:07.648369048 +0200
++++ firefox-128.2.0/dom/media/webrtc/RTCCertService.h	2024-09-30 21:41:07.648369048 +0200
 @@ -0,0 +1,49 @@
 +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
 +/* vim: set ts=8 sts=2 et sw=2 tw=80: */
@@ -1593,9 +1603,9 @@ diff -up firefox-140.0/dom/media/webrtc/RTCCertService.h.D225034.1750779491 fire
 +}  // namespace mozilla::dom
 +
 +#endif  // mozilla_dom_CertServiceChild_h
-diff -up firefox-140.0/dom/media/webrtc/RTCCertServiceParent.cpp.D225034.1750779491 firefox-140.0/dom/media/webrtc/RTCCertServiceParent.cpp
---- firefox-140.0/dom/media/webrtc/RTCCertServiceParent.cpp.D225034.1750779491	2025-06-26 12:14:42.306799462 +0200
-+++ firefox-140.0/dom/media/webrtc/RTCCertServiceParent.cpp	2025-06-26 12:14:42.306799462 +0200
+diff -up firefox-128.2.0/dom/media/webrtc/RTCCertServiceParent.cpp.webrtc firefox-128.2.0/dom/media/webrtc/RTCCertServiceParent.cpp
+--- firefox-128.2.0/dom/media/webrtc/RTCCertServiceParent.cpp.webrtc	2024-09-30 21:41:07.649369081 +0200
++++ firefox-128.2.0/dom/media/webrtc/RTCCertServiceParent.cpp	2024-09-30 21:41:07.649369081 +0200
 @@ -0,0 +1,353 @@
 +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
 +/* vim: set ts=8 sts=2 et sw=2 tw=80: */
@@ -1950,9 +1960,9 @@ diff -up firefox-140.0/dom/media/webrtc/RTCCertServiceParent.cpp.D225034.1750779
 +}
 +
 +}  // namespace mozilla::dom
-diff -up firefox-140.0/dom/media/webrtc/RTCCertServiceParent.h.D225034.1750779491 firefox-140.0/dom/media/webrtc/RTCCertServiceParent.h
---- firefox-140.0/dom/media/webrtc/RTCCertServiceParent.h.D225034.1750779491	2025-06-26 12:14:42.307072966 +0200
-+++ firefox-140.0/dom/media/webrtc/RTCCertServiceParent.h	2025-06-26 12:14:42.307072966 +0200
+diff -up firefox-128.2.0/dom/media/webrtc/RTCCertServiceParent.h.webrtc firefox-128.2.0/dom/media/webrtc/RTCCertServiceParent.h
+--- firefox-128.2.0/dom/media/webrtc/RTCCertServiceParent.h.webrtc	2024-09-30 21:41:07.649369081 +0200
++++ firefox-128.2.0/dom/media/webrtc/RTCCertServiceParent.h	2024-09-30 21:41:07.649369081 +0200
 @@ -0,0 +1,42 @@
 +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
 +/* vim: set ts=8 sts=2 et sw=2 tw=80: */
@@ -1996,9 +2006,9 @@ diff -up firefox-140.0/dom/media/webrtc/RTCCertServiceParent.h.D225034.175077949
 +}  // namespace mozilla::dom
 +
 +#endif  // mozilla_dom_CertServiceTransactionParent_h
-diff -up firefox-140.0/dom/media/webrtc/transport/dtlsidentity.cpp.D225034.1750779491 firefox-140.0/dom/media/webrtc/transport/dtlsidentity.cpp
---- firefox-140.0/dom/media/webrtc/transport/dtlsidentity.cpp.D225034.1750779491	2025-06-17 18:15:13.000000000 +0200
-+++ firefox-140.0/dom/media/webrtc/transport/dtlsidentity.cpp	2025-06-26 12:14:42.307331702 +0200
+diff -up firefox-128.2.0/dom/media/webrtc/transport/dtlsidentity.cpp.webrtc firefox-128.2.0/dom/media/webrtc/transport/dtlsidentity.cpp
+--- firefox-128.2.0/dom/media/webrtc/transport/dtlsidentity.cpp.webrtc	2024-08-26 16:23:35.000000000 +0200
++++ firefox-128.2.0/dom/media/webrtc/transport/dtlsidentity.cpp	2024-09-30 21:41:07.651369147 +0200
 @@ -17,136 +17,19 @@
  #include "sslerr.h"
  
@@ -2179,9 +2189,9 @@ diff -up firefox-140.0/dom/media/webrtc/transport/dtlsidentity.cpp.D225034.17507
 +}
 +
  }  // namespace mozilla
-diff -up firefox-140.0/dom/media/webrtc/transport/dtlsidentity.h.D225034.1750779491 firefox-140.0/dom/media/webrtc/transport/dtlsidentity.h
---- firefox-140.0/dom/media/webrtc/transport/dtlsidentity.h.D225034.1750779491	2025-06-17 18:15:13.000000000 +0200
-+++ firefox-140.0/dom/media/webrtc/transport/dtlsidentity.h	2025-06-26 12:14:42.307559680 +0200
+diff -up firefox-128.2.0/dom/media/webrtc/transport/dtlsidentity.h.webrtc firefox-128.2.0/dom/media/webrtc/transport/dtlsidentity.h
+--- firefox-128.2.0/dom/media/webrtc/transport/dtlsidentity.h.webrtc	2024-08-26 16:23:35.000000000 +0200
++++ firefox-128.2.0/dom/media/webrtc/transport/dtlsidentity.h	2024-09-30 21:41:07.651369147 +0200
 @@ -10,6 +10,7 @@
  #include <vector>
  
@@ -2237,10 +2247,10 @@ diff -up firefox-140.0/dom/media/webrtc/transport/dtlsidentity.h.D225034.1750779
    UniqueSECKEYPrivateKey private_key_;
    UniqueCERTCertificate cert_;
    SSLKEAType auth_type_;
-diff -up firefox-140.0/ipc/glue/BackgroundParentImpl.cpp.D225034.1750779491 firefox-140.0/ipc/glue/BackgroundParentImpl.cpp
---- firefox-140.0/ipc/glue/BackgroundParentImpl.cpp.D225034.1750779491	2025-06-17 18:15:14.000000000 +0200
-+++ firefox-140.0/ipc/glue/BackgroundParentImpl.cpp	2025-06-26 12:14:42.307823345 +0200
-@@ -59,6 +59,7 @@
+diff -up firefox-128.2.0/ipc/glue/BackgroundParentImpl.cpp.webrtc firefox-128.2.0/ipc/glue/BackgroundParentImpl.cpp
+--- firefox-128.2.0/ipc/glue/BackgroundParentImpl.cpp.webrtc	2024-08-26 16:23:36.000000000 +0200
++++ firefox-128.2.0/ipc/glue/BackgroundParentImpl.cpp	2024-09-30 21:41:07.651369147 +0200
+@@ -57,6 +57,7 @@
  #include "mozilla/dom/quota/QuotaParent.h"
  #include "mozilla/dom/simpledb/ActorsParent.h"
  #include "mozilla/dom/VsyncParent.h"
@@ -2248,10 +2258,10 @@ diff -up firefox-140.0/ipc/glue/BackgroundParentImpl.cpp.D225034.1750779491 fire
  #include "mozilla/ipc/BackgroundParent.h"
  #include "mozilla/ipc/BackgroundUtils.h"
  #include "mozilla/ipc/Endpoint.h"
-diff -up firefox-140.0/media/webrtc/signaling/gtest/mediapipeline_unittest.cpp.D225034.1750779491 firefox-140.0/media/webrtc/signaling/gtest/mediapipeline_unittest.cpp
---- firefox-140.0/media/webrtc/signaling/gtest/mediapipeline_unittest.cpp.D225034.1750779491	2025-06-17 18:15:19.000000000 +0200
-+++ firefox-140.0/media/webrtc/signaling/gtest/mediapipeline_unittest.cpp	2025-06-26 12:14:42.308182079 +0200
-@@ -200,13 +200,15 @@ class LoopbackTransport : public MediaTr
+diff -up firefox-128.2.0/media/webrtc/signaling/gtest/mediapipeline_unittest.cpp.webrtc firefox-128.2.0/media/webrtc/signaling/gtest/mediapipeline_unittest.cpp
+--- firefox-128.2.0/media/webrtc/signaling/gtest/mediapipeline_unittest.cpp.webrtc	2024-08-26 16:23:42.000000000 +0200
++++ firefox-128.2.0/media/webrtc/signaling/gtest/mediapipeline_unittest.cpp	2024-09-30 21:41:07.651369147 +0200
+@@ -197,13 +197,15 @@ class LoopbackTransport : public MediaTr
                           // this up internally
                           const nsTArray<NrIceStunAddr>& aStunAddrs) override {}
  
@@ -2274,9 +2284,9 @@ diff -up firefox-140.0/media/webrtc/signaling/gtest/mediapipeline_unittest.cpp.D
  
    void RemoveTransportsExcept(
        const std::set<std::string>& aTransportIds) override {}
-diff -up firefox-140.0/netwerk/ipc/PSocketProcessBridge.ipdl.D225034.1750779491 firefox-140.0/netwerk/ipc/PSocketProcessBridge.ipdl
---- firefox-140.0/netwerk/ipc/PSocketProcessBridge.ipdl.D225034.1750779491	2025-06-17 18:15:20.000000000 +0200
-+++ firefox-140.0/netwerk/ipc/PSocketProcessBridge.ipdl	2025-06-26 12:14:42.308456975 +0200
+diff -up firefox-128.2.0/netwerk/ipc/PSocketProcessBridge.ipdl.webrtc firefox-128.2.0/netwerk/ipc/PSocketProcessBridge.ipdl
+--- firefox-128.2.0/netwerk/ipc/PSocketProcessBridge.ipdl.webrtc	2024-08-26 16:23:42.000000000 +0200
++++ firefox-128.2.0/netwerk/ipc/PSocketProcessBridge.ipdl	2024-09-30 21:41:07.651369147 +0200
 @@ -10,6 +10,8 @@ include protocol PBackgroundDataBridge;
  include protocol PMediaTransport;
  #endif // MOZ_WEBRTC
@@ -2294,9 +2304,9 @@ diff -up firefox-140.0/netwerk/ipc/PSocketProcessBridge.ipdl.D225034.1750779491
  };
  
  }
-diff -up firefox-140.0/netwerk/ipc/SocketProcessBridgeParent.cpp.D225034.1750779491 firefox-140.0/netwerk/ipc/SocketProcessBridgeParent.cpp
---- firefox-140.0/netwerk/ipc/SocketProcessBridgeParent.cpp.D225034.1750779491	2025-06-17 18:15:20.000000000 +0200
-+++ firefox-140.0/netwerk/ipc/SocketProcessBridgeParent.cpp	2025-06-26 12:14:42.308665677 +0200
+diff -up firefox-128.2.0/netwerk/ipc/SocketProcessBridgeParent.cpp.webrtc firefox-128.2.0/netwerk/ipc/SocketProcessBridgeParent.cpp
+--- firefox-128.2.0/netwerk/ipc/SocketProcessBridgeParent.cpp.webrtc	2024-08-26 16:23:43.000000000 +0200
++++ firefox-128.2.0/netwerk/ipc/SocketProcessBridgeParent.cpp	2024-09-30 21:41:07.651369147 +0200
 @@ -9,6 +9,7 @@
  #ifdef MOZ_WEBRTC
  #  include "mozilla/dom/MediaTransportParent.h"
@@ -2343,9 +2353,9 @@ diff -up firefox-140.0/netwerk/ipc/SocketProcessBridgeParent.cpp.D225034.1750779
  void SocketProcessBridgeParent::ActorDestroy(ActorDestroyReason aReason) {
    // See bug 1846478. We might be able to remove this dispatch.
    GetCurrentSerialEventTarget()->Dispatch(NS_NewRunnableFunction(
-diff -up firefox-140.0/netwerk/ipc/SocketProcessBridgeParent.h.D225034.1750779491 firefox-140.0/netwerk/ipc/SocketProcessBridgeParent.h
---- firefox-140.0/netwerk/ipc/SocketProcessBridgeParent.h.D225034.1750779491	2025-06-17 18:15:20.000000000 +0200
-+++ firefox-140.0/netwerk/ipc/SocketProcessBridgeParent.h	2025-06-26 12:14:42.308878987 +0200
+diff -up firefox-128.2.0/netwerk/ipc/SocketProcessBridgeParent.h.webrtc firefox-128.2.0/netwerk/ipc/SocketProcessBridgeParent.h
+--- firefox-128.2.0/netwerk/ipc/SocketProcessBridgeParent.h.webrtc	2024-08-26 16:23:43.000000000 +0200
++++ firefox-128.2.0/netwerk/ipc/SocketProcessBridgeParent.h	2024-09-30 21:41:07.651369147 +0200
 @@ -29,6 +29,9 @@ class SocketProcessBridgeParent final :
        Endpoint<PMediaTransportParent>&& aEndpoint);
  #endif
@@ -2356,3 +2366,4 @@ diff -up firefox-140.0/netwerk/ipc/SocketProcessBridgeParent.h.D225034.175077949
    void ActorDestroy(ActorDestroyReason aReason) override;
  
   private:
+diff -up firefox-128.2.0/third_party/libwebrtc/examples/androidtests/third_party/README.webrtc firefox-128.2.0/third_party/libwebrtc/examples/androidtests/third_party/README