From de04ed802b187ab3f3b231bab3f3ab6a31cfbeee Mon Sep 17 00:00:00 2001 From: eabdullin Date: Thu, 20 Nov 2025 13:53:28 +0000 Subject: [PATCH] Import from CS git --- .gitignore | 4 +- .thunderbird.metadata | 4 +- ...ird-adapt-ml-dsa-support-to-rhel-nss.patch | 59 ++++ ...sa-certificate-support-to-certviewer.patch | 323 ++++++++++++++++++ ...rbird-add-mlkem768-secp256r1-support.patch | 190 +++++++++++ ...derbird-enable-ml-dsa-in-manager-ssl.patch | 48 +++ ...ion-for-certificate-chain-validation.patch | 239 +++++++++++++ ...or-pkix-certificate-chain-validation.patch | 247 ++++++++++++++ SOURCES/thunderbird-redhat-default-prefs.js | 2 - SOURCES/thunderbird.appdata.xml.in | 50 +++ SPECS/thunderbird.spec | 50 ++- 11 files changed, 1199 insertions(+), 17 deletions(-) create mode 100644 SOURCES/thunderbird-adapt-ml-dsa-support-to-rhel-nss.patch create mode 100644 SOURCES/thunderbird-add-ml-dsa-certificate-support-to-certviewer.patch create mode 100644 SOURCES/thunderbird-add-mlkem768-secp256r1-support.patch create mode 100644 SOURCES/thunderbird-enable-ml-dsa-in-manager-ssl.patch create mode 100644 SOURCES/thunderbird-enable-ml-dsa-signature-verification-for-certificate-chain-validation.patch create mode 100644 SOURCES/thunderbird-integrate-ml-dsa-signature-verification-for-pkix-certificate-chain-validation.patch create mode 100644 SOURCES/thunderbird.appdata.xml.in diff --git a/.gitignore b/.gitignore index acae9f5..ede5426 100644 --- a/.gitignore +++ b/.gitignore @@ -2,5 +2,5 @@ SOURCES/cbindgen-vendor.tar.xz SOURCES/nspr-4.36.0-2.el8_2.src.rpm SOURCES/nss-3.112.0-1.el9_4.src.rpm SOURCES/nss-3.112.0-4.el8_2.src.rpm -SOURCES/thunderbird-140.4.0esr.processed-source.tar.xz -SOURCES/thunderbird-langpacks-140.4.0esr-20251013.tar.xz +SOURCES/thunderbird-140.5.0esr.processed-source.tar.xz +SOURCES/thunderbird-langpacks-140.5.0esr-20251111.tar.xz diff --git a/.thunderbird.metadata b/.thunderbird.metadata index 73ce720..0cda3b5 100644 --- a/.thunderbird.metadata +++ b/.thunderbird.metadata @@ -2,5 +2,5 @@ bc4adac8f38f5103d8f88564a1545063dd8d6402 SOURCES/cbindgen-vendor.tar.xz 0d0ddbd2a73340b3cbc977997f57222946b1e775 SOURCES/nspr-4.36.0-2.el8_2.src.rpm fd3879b176634d66f8ef64d18fdaeec98e140c23 SOURCES/nss-3.112.0-1.el9_4.src.rpm c3f0aaef37972107442e2796efad71be3a98ce3c SOURCES/nss-3.112.0-4.el8_2.src.rpm -a9ee21c5a1c914e16c778da25383aa6b6d4a1b9f SOURCES/thunderbird-140.4.0esr.processed-source.tar.xz -11d24d1b3a0f5f19c97012a9cc6da7650e73276e SOURCES/thunderbird-langpacks-140.4.0esr-20251013.tar.xz +d520f59fc94847639c7fad352c70806f1e9387ea SOURCES/thunderbird-140.5.0esr.processed-source.tar.xz +93aae73f4a8d28e76adcb9298fb3074fa86aa6f7 SOURCES/thunderbird-langpacks-140.5.0esr-20251111.tar.xz diff --git a/SOURCES/thunderbird-adapt-ml-dsa-support-to-rhel-nss.patch b/SOURCES/thunderbird-adapt-ml-dsa-support-to-rhel-nss.patch new file mode 100644 index 0000000..fc1a42f --- /dev/null +++ b/SOURCES/thunderbird-adapt-ml-dsa-support-to-rhel-nss.patch @@ -0,0 +1,59 @@ +diff --git a/security/nss/lib/mozpkix/lib/pkixnss.cpp b/security/nss/lib/mozpkix/lib/pkixnss.cpp +index 31aa1ddd67..93ab402bfd 100644 +--- a/security/nss/lib/mozpkix/lib/pkixnss.cpp ++++ b/security/nss/lib/mozpkix/lib/pkixnss.cpp +@@ -303,6 +303,28 @@ DigestBufNSS(Input item, + return Success; + } + ++static SECOidTag ++findOIDByName(const char *cipherString) ++{ ++ SECOidTag tag; ++ SECOidData *oid; ++ ++ for (int i = 1; ; i++) { ++ SECOidTag tag = static_cast(i); ++ oid = SECOID_FindOIDByTag(tag); ++ ++ if (oid == NULL) { ++ break; ++ } ++ ++ if (strcasecmp(oid->desc, cipherString) == 0) { ++ return tag; ++ } ++ } ++ ++ return SEC_OID_UNKNOWN; ++} ++ + Result + VerifyMLDSASignedDataNSS(Input data, + Input signature, +@@ -323,17 +345,14 @@ VerifyMLDSASignedDataNSS(Input data, + SECItem dataItem(UnsafeMapInputToSECItem(data)); + CK_MECHANISM_TYPE mechanism; + +- switch (pubk->u.mldsa.paramSet) { +- case SEC_OID_ML_DSA_44: +- case SEC_OID_ML_DSA_65: +- case SEC_OID_ML_DSA_87: +- mechanism = CKM_ML_DSA; +- signaturePolicyTag = pubk->u.mldsa.paramSet; +- hashPolicyTag = SEC_OID_UNKNOWN; +- break; +- default: +- return Result::ERROR_UNSUPPORTED_KEYALG; +- break; ++ if (pubk->u.mldsa.params == findOIDByName("ML-DSA-44") || ++ pubk->u.mldsa.params == findOIDByName("ML-DSA-65") || ++ pubk->u.mldsa.params == findOIDByName("ML-DSA-87")) { ++ hashPolicyTag = SEC_OID_UNKNOWN; ++ mechanism = CKM_ML_DSA; ++ signaturePolicyTag = pubk->u.mldsa.params; ++ } else { ++ return Result::ERROR_UNSUPPORTED_KEYALG; + } + + SECOidTag policyTags[2] = {signaturePolicyTag, hashPolicyTag}; diff --git a/SOURCES/thunderbird-add-ml-dsa-certificate-support-to-certviewer.patch b/SOURCES/thunderbird-add-ml-dsa-certificate-support-to-certviewer.patch new file mode 100644 index 0000000..a61d2b3 --- /dev/null +++ b/SOURCES/thunderbird-add-ml-dsa-certificate-support-to-certviewer.patch @@ -0,0 +1,323 @@ +diff --git a/toolkit/components/certviewer/content/certDecoder.mjs b/toolkit/components/certviewer/content/certDecoder.mjs +--- a/toolkit/components/certviewer/content/certDecoder.mjs ++++ b/toolkit/components/certviewer/content/certDecoder.mjs +@@ -5,10 +5,11 @@ + import { + Certificate, + ECNamedCurves, + ECPublicKey, + RSAPublicKey, ++ MLDSAPublicKey, + } from "./vendor/pkijs.js"; + + const getTimeZone = () => { + let timeZone = new Date().toString().match(/\(([A-Za-z\s].*)\)/); + if (timeZone === null) { +@@ -45,10 +46,19 @@ + x, // x coordinate + y, // y coordinate + xy: `04:${x}:${y}`, // 04 (uncompressed) public key + }; + } ++ if (publicKey instanceof MLDSAPublicKey) { ++ let keyHex = publicKey.rhoT1.valueBlock.valueHex; ++ let keyBytes = new Uint8Array(keyHex); ++ return { ++ kty: publicKey.alg, ++ keysize: keyBytes.length, ++ rhoT1: hashify(keyHex), ++ }; ++ } + return { kty: "Unknown" }; + }; + + const getX509Ext = (extensions, v) => { + for (var extension in extensions) { +@@ -1132,10 +1142,13 @@ + "2.16.840.1.101.3.4.3.2": "DSA with SHA-256", + "1.2.840.10045.4.1": "ECDSA with SHA-1", + "1.2.840.10045.4.3.2": "ECDSA with SHA-256", + "1.2.840.10045.4.3.3": "ECDSA with SHA-384", + "1.2.840.10045.4.3.4": "ECDSA with SHA-512", ++ "2.16.840.1.101.3.4.3.17": "ML-DSA-44", ++ "2.16.840.1.101.3.4.3.18": "ML-DSA-65", ++ "2.16.840.1.101.3.4.3.19": "ML-DSA-87", + }, + + aia: { + "1.3.6.1.5.5.7.48.1": "Online Certificate Status Protocol (OCSP)", + "1.3.6.1.5.5.7.48.2": "CA Issuers", +diff --git a/toolkit/components/certviewer/content/certviewer.mjs b/toolkit/components/certviewer/content/certviewer.mjs +--- a/toolkit/components/certviewer/content/certviewer.mjs ++++ b/toolkit/components/certviewer/content/certviewer.mjs +@@ -74,10 +74,23 @@ + } + } + return result ? result : false; + }; + ++const getMLDSASecurityLevel = signatureName => { ++ switch (signatureName) { ++ case "ML-DSA-44": ++ return "Level 2 (NIST)"; ++ case "ML-DSA-65": ++ return "Level 3 (NIST)"; ++ case "ML-DSA-87": ++ return "Level 5 (NIST)"; ++ default: ++ return null; ++ } ++}; ++ + export const adjustCertInformation = cert => { + let certItems = []; + let tabName = cert?.subject?.cn || ""; + if (cert && !tabName) { + // No common name, use the value of the last item in the cert's entries. +@@ -173,10 +186,15 @@ + createEntryItem("key-size", cert.subjectPublicKeyInfo.keysize), + createEntryItem("curve", cert.subjectPublicKeyInfo.crv), + createEntryItem("public-value", cert.subjectPublicKeyInfo.xy, true), + createEntryItem("exponent", cert.subjectPublicKeyInfo.e), + createEntryItem("modulus", cert.subjectPublicKeyInfo.n, true), ++ createEntryItem( ++ "mldsa-public-value", ++ cert.subjectPublicKeyInfo.rhoT1, ++ true ++ ), + ].filter(elem => elem != null); + } + return items; + }, + certItems, +@@ -190,14 +208,23 @@ + createEntryItem("serial-number", cert.serialNumber, true), + createEntryItem( + "signature-algorithm", + cert.signature ? cert.signature.name : null + ), ++ ]; ++ ++ const secLvl = getMLDSASecurityLevel(cert.signature?.name); ++ if (secLvl) { ++ items.push(createEntryItem("security-level", secLvl)); ++ } ++ ++ items.push( + createEntryItem("version", cert.version), +- createEntryItem("download", cert.files ? cert.files.pem : null), +- ].filter(elem => elem != null); +- return items; ++ createEntryItem("download", cert.files ? cert.files.pem : null) ++ ); ++ ++ return items.filter(elem => elem != null); + }, + certItems, + "miscellaneous", + false + ); +diff --git a/toolkit/components/certviewer/content/vendor/pkijs.js b/toolkit/components/certviewer/content/vendor/pkijs.js +--- a/toolkit/components/certviewer/content/vendor/pkijs.js ++++ b/toolkit/components/certviewer/content/vendor/pkijs.js +@@ -8609,10 +8609,90 @@ + this.publicExponent = new Integer({ valueHex: stringToArrayBuffer(fromBase64(json.e, true)).slice(0, 3) }); + } + } + RSAPublicKey.CLASS_NAME = "RSAPublicKey"; + ++/* @see https://www.ietf.org/archive/id/draft-ietf-lamps-dilithium-certificates-11.html */ ++const RHO_T1 = "rhoT1"; ++const ALG = "alg"; ++const CLEAR_PROPS_MLDSA = [RHO_T1, ALG]; ++const MLDSA_MIN_LENGTH = 32; ++class MLDSAPublicKey extends PkiObject { ++ constructor(parameters = {}) { ++ super(); ++ ++ this.rhoT1 = getParametersValue(parameters, RHO_T1, MLDSAPublicKey.defaultValues(RHO_T1)); ++ this.alg = getParametersValue(parameters, ALG, MLDSAPublicKey.defaultValues(ALG)); ++ ++ if (parameters.json) { ++ this.fromJSON(parameters.json); ++ } ++ ++ if (parameters.schema) { ++ this.fromSchema(parameters.schema); ++ } ++ } ++ ++ static defaultValues(memberName) { ++ switch (memberName) { ++ case RHO_T1: ++ return new BitString(); ++ case ALG: ++ return ""; ++ default: ++ return super.defaultValues(memberName); ++ } ++ } ++ ++ static schema(parameters = {}) { ++ const names = getParametersValue(parameters, "names", {}); ++ return new BitString({ name: names.rhoT1 || RHO_T1 }); ++ } ++ ++ fromSchema(schema) { ++ clearProps(schema, CLEAR_PROPS_MLDSA); ++ ++ const asn1 = compareSchema(schema, schema, MLDSAPublicKey.schema({ ++ names: { rhoT1: RHO_T1 } ++ })); ++ ++ AsnError.assertSchema(asn1, this.className); ++ ++ const bitString = asn1.result.rhoT1; ++ const length = bitString.valueBlock.valueHexView.length; ++ ++ if (length < MLDSA_MIN_LENGTH || (length - MLDSA_MIN_LENGTH) % 320 !== 0) { ++ throw new Error(`Invalid ML-DSA key length: ${length} bytes`); ++ } ++ ++ this.rhoT1 = bitString; ++ } ++ ++ toSchema() { ++ return this.rhoT1; ++ } ++ ++ toJSON() { ++ return { ++ rhoT1: Convert.ToBase64Url(this.rhoT1.valueBlock.valueHexView), ++ alg: this.alg ++ }; ++ } ++ ++ fromJSON(json) { ++ ParameterError.assert("json", json, "rhoT1"); ++ const rawBuffer = stringToArrayBuffer(fromBase64(json.rhoT1, true)); ++ ++ if (rawBuffer.byteLength < MLDSA_MIN_LENGTH || (rawBuffer.byteLength - MLDSA_MIN_LENGTH) % 320 !== 0) { ++ throw new Error(`Invalid ML-DSA key length: ${rawBuffer.byteLength} bytes`); ++ } ++ ++ this.rhoT1 = new BitString({ valueHex: rawBuffer }); ++ } ++} ++MLDSAPublicKey.CLASS_NAME = "MLDSAPublicKey"; ++ + const ALGORITHM$1 = "algorithm"; + const SUBJECT_PUBLIC_KEY = "subjectPublicKey"; + const CLEAR_PROPS$1a = [ALGORITHM$1, SUBJECT_PUBLIC_KEY]; + class PublicKeyInfo extends PkiObject { + constructor(parameters = {}) { +@@ -8657,10 +8737,22 @@ + catch (ex) { + } + } + } + break; ++ case "2.16.840.1.101.3.4.3.17": ++ /* Already a bitstring */ ++ this._parsedKey = new MLDSAPublicKey({ rhoT1: this.subjectPublicKey, alg: "ML-DSA-44" }); ++ break; ++ case "2.16.840.1.101.3.4.3.18": ++ /* Already a bitstring */ ++ this._parsedKey = new MLDSAPublicKey({ rhoT1: this.subjectPublicKey, alg: "ML-DSA-65" }); ++ break; ++ case "2.16.840.1.101.3.4.3.19": ++ /* Already a bitstring */ ++ this._parsedKey = new MLDSAPublicKey({ rhoT1: this.subjectPublicKey, alg: "ML-DSA-87" }); ++ break; + } + this._parsedKey || (this._parsedKey = null); + } + return this._parsedKey || undefined; + } +@@ -8724,10 +8816,19 @@ + jwk.kty = "EC"; + break; + case "1.2.840.113549.1.1.1": + jwk.kty = "RSA"; + break; ++ case "2.16.840.1.101.3.4.3.17": ++ jwk.kty = "ML-DSA-44"; ++ break; ++ case "2.16.840.1.101.3.4.3.18": ++ jwk.kty = "ML-DSA-65"; ++ break; ++ case "2.16.840.1.101.3.4.3.19": ++ jwk.kty = "ML-DSA-87"; ++ break; + } + const publicKeyJWK = this.parsedKey.toJSON(); + Object.assign(jwk, publicKeyJWK); + return jwk; + } +@@ -8746,10 +8847,31 @@ + this.algorithm = new AlgorithmIdentifier({ + algorithmId: "1.2.840.113549.1.1.1", + algorithmParams: new Null() + }); + break; ++ case "ML-DSA-44": ++ this.parsedKey = new MLDSAPublicKey({ json }); ++ this.algorithm = new AlgorithmIdentifier({ ++ algorithmId: "2.16.840.1.101.3.4.3.17", ++ algorithmParams: new Null() ++ }); ++ break; ++ case "ML-DSA-65": ++ this.parsedKey = new MLDSAPublicKey({ json }); ++ this.algorithm = new AlgorithmIdentifier({ ++ algorithmId: "2.16.840.1.101.3.4.3.18", ++ algorithmParams: new Null() ++ }); ++ break; ++ case "ML-DSA-87": ++ this.parsedKey = new MLDSAPublicKey({ json }); ++ this.algorithm = new AlgorithmIdentifier({ ++ algorithmId: "2.16.840.1.101.3.4.3.19", ++ algorithmParams: new Null() ++ }); ++ break; + default: + throw new Error(`Invalid value for "kty" parameter: ${json.kty}`); + } + this.subjectPublicKey = new BitString({ valueHex: this.parsedKey.toSchema().toBER(false) }); + } +@@ -24078,6 +24200,6 @@ + } + } + + initCryptoEngine(); + +-export { AbstractCryptoEngine, AccessDescription, Accuracy, AlgorithmIdentifier, AltName, ArgumentError, AsnError, AttCertValidityPeriod, Attribute, AttributeCertificateInfoV1, AttributeCertificateInfoV2, AttributeCertificateV1, AttributeCertificateV2, AttributeTypeAndValue, AuthenticatedSafe, AuthorityKeyIdentifier, BasicConstraints, BasicOCSPResponse, CAVersion, CRLBag, CRLDistributionPoints, CertBag, CertID, Certificate, CertificateChainValidationEngine, CertificatePolicies, CertificateRevocationList, CertificateSet, CertificateTemplate, CertificationRequest, ChainValidationCode, ChainValidationError, ContentInfo, CryptoEngine, DigestInfo, DistributionPoint, ECCCMSSharedInfo, ECNamedCurves, ECPrivateKey, ECPublicKey, EncapsulatedContentInfo, EncryptedContentInfo, EncryptedData, EnvelopedData, ExtKeyUsage, Extension, ExtensionValueFactory, Extensions, GeneralName, GeneralNames, GeneralSubtree, HASHED_MESSAGE, HASH_ALGORITHM, Holder, InfoAccess, IssuerAndSerialNumber, IssuerSerial, IssuingDistributionPoint, KEKIdentifier, KEKRecipientInfo, KeyAgreeRecipientIdentifier, KeyAgreeRecipientInfo, KeyBag, KeyTransRecipientInfo, MICROS, MILLIS, MacData, MessageImprint, NameConstraints, OCSPRequest, OCSPResponse, ObjectDigestInfo, OriginatorIdentifierOrKey, OriginatorInfo, OriginatorPublicKey, OtherCertificateFormat, OtherKeyAttribute, OtherPrimeInfo, OtherRecipientInfo, OtherRevocationInfoFormat, PBES2Params, PBKDF2Params, PFX, PKCS8ShroudedKeyBag, PKIStatus, PKIStatusInfo, POLICY_IDENTIFIER, POLICY_QUALIFIERS, ParameterError, PasswordRecipientinfo, PkiObject, PolicyConstraints, PolicyInformation, PolicyMapping, PolicyMappings, PolicyQualifierInfo, PrivateKeyInfo, PrivateKeyUsagePeriod, PublicKeyInfo, QCStatement, QCStatements, RDN, RSAESOAEPParams, RSAPrivateKey, RSAPublicKey, RSASSAPSSParams, RecipientEncryptedKey, RecipientEncryptedKeys, RecipientIdentifier, RecipientInfo, RecipientKeyIdentifier, RelativeDistinguishedNames, Request, ResponseBytes, ResponseData, RevocationInfoChoices, RevokedCertificate, SECONDS, SafeBag, SafeBagValueFactory, SafeContents, SecretBag, Signature, SignedAndUnsignedAttributes, SignedCertificateTimestamp, SignedCertificateTimestampList, SignedData, SignedDataVerifyError, SignerInfo, SingleResponse, SubjectDirectoryAttributes, TBSRequest, TSTInfo, TYPE$4 as TYPE, TYPE_AND_VALUES, Time, TimeStampReq, TimeStampResp, TimeType, V2Form, VALUE$5 as VALUE, VALUE_BEFORE_DECODE, checkCA, createCMSECDSASignature, createECDSASignatureFromCMS, engine, getAlgorithmByOID, getAlgorithmParameters, getCrypto, getEngine, getHashAlgorithm, getOIDByAlgorithm, getRandomValues, id_AnyPolicy, id_AuthorityInfoAccess, id_AuthorityKeyIdentifier, id_BaseCRLNumber, id_BasicConstraints, id_CRLBag_X509CRL, id_CRLDistributionPoints, id_CRLNumber, id_CRLReason, id_CertBag_AttributeCertificate, id_CertBag_SDSICertificate, id_CertBag_X509Certificate, id_CertificateIssuer, id_CertificatePolicies, id_ContentType_Data, id_ContentType_EncryptedData, id_ContentType_EnvelopedData, id_ContentType_SignedData, id_ExtKeyUsage, id_FreshestCRL, id_InhibitAnyPolicy, id_InvalidityDate, id_IssuerAltName, id_IssuingDistributionPoint, id_KeyUsage, id_MicrosoftAppPolicies, id_MicrosoftCaVersion, id_MicrosoftCertTemplateV1, id_MicrosoftCertTemplateV2, id_MicrosoftPrevCaCertHash, id_NameConstraints, id_PKIX_OCSP_Basic, id_PolicyConstraints, id_PolicyMappings, id_PrivateKeyUsagePeriod, id_QCStatements, id_SignedCertificateTimestampList, id_SubjectAltName, id_SubjectDirectoryAttributes, id_SubjectInfoAccess, id_SubjectKeyIdentifier, id_ad, id_ad_caIssuers, id_ad_ocsp, id_eContentType_TSTInfo, id_pkix, id_sha1, id_sha256, id_sha384, id_sha512, kdf, setEngine, stringPrep, verifySCTsForCertificate }; ++export { AbstractCryptoEngine, AccessDescription, Accuracy, AlgorithmIdentifier, AltName, ArgumentError, AsnError, AttCertValidityPeriod, Attribute, AttributeCertificateInfoV1, AttributeCertificateInfoV2, AttributeCertificateV1, AttributeCertificateV2, AttributeTypeAndValue, AuthenticatedSafe, AuthorityKeyIdentifier, BasicConstraints, BasicOCSPResponse, CAVersion, CRLBag, CRLDistributionPoints, CertBag, CertID, Certificate, CertificateChainValidationEngine, CertificatePolicies, CertificateRevocationList, CertificateSet, CertificateTemplate, CertificationRequest, ChainValidationCode, ChainValidationError, ContentInfo, CryptoEngine, DigestInfo, DistributionPoint, ECCCMSSharedInfo, ECNamedCurves, ECPrivateKey, ECPublicKey, EncapsulatedContentInfo, EncryptedContentInfo, EncryptedData, EnvelopedData, ExtKeyUsage, Extension, ExtensionValueFactory, Extensions, GeneralName, GeneralNames, GeneralSubtree, HASHED_MESSAGE, HASH_ALGORITHM, Holder, InfoAccess, IssuerAndSerialNumber, IssuerSerial, IssuingDistributionPoint, KEKIdentifier, KEKRecipientInfo, KeyAgreeRecipientIdentifier, KeyAgreeRecipientInfo, KeyBag, KeyTransRecipientInfo, MICROS, MILLIS, MacData, MessageImprint, NameConstraints, OCSPRequest, OCSPResponse, ObjectDigestInfo, OriginatorIdentifierOrKey, OriginatorInfo, OriginatorPublicKey, OtherCertificateFormat, OtherKeyAttribute, OtherPrimeInfo, OtherRecipientInfo, OtherRevocationInfoFormat, PBES2Params, PBKDF2Params, PFX, PKCS8ShroudedKeyBag, PKIStatus, PKIStatusInfo, POLICY_IDENTIFIER, POLICY_QUALIFIERS, ParameterError, PasswordRecipientinfo, PkiObject, PolicyConstraints, PolicyInformation, PolicyMapping, PolicyMappings, PolicyQualifierInfo, PrivateKeyInfo, PrivateKeyUsagePeriod, PublicKeyInfo, QCStatement, QCStatements, RDN, RSAESOAEPParams, RSAPrivateKey, RSAPublicKey, RSASSAPSSParams, RecipientEncryptedKey, RecipientEncryptedKeys, RecipientIdentifier, RecipientInfo, RecipientKeyIdentifier, RelativeDistinguishedNames, Request, ResponseBytes, ResponseData, RevocationInfoChoices, RevokedCertificate, SECONDS, SafeBag, SafeBagValueFactory, SafeContents, SecretBag, Signature, SignedAndUnsignedAttributes, SignedCertificateTimestamp, SignedCertificateTimestampList, SignedData, SignedDataVerifyError, SignerInfo, SingleResponse, SubjectDirectoryAttributes, TBSRequest, TSTInfo, TYPE$4 as TYPE, TYPE_AND_VALUES, Time, TimeStampReq, TimeStampResp, TimeType, V2Form, VALUE$5 as VALUE, VALUE_BEFORE_DECODE, checkCA, createCMSECDSASignature, createECDSASignatureFromCMS, engine, getAlgorithmByOID, getAlgorithmParameters, getCrypto, getEngine, getHashAlgorithm, getOIDByAlgorithm, getRandomValues, id_AnyPolicy, id_AuthorityInfoAccess, id_AuthorityKeyIdentifier, id_BaseCRLNumber, id_BasicConstraints, id_CRLBag_X509CRL, id_CRLDistributionPoints, id_CRLNumber, id_CRLReason, id_CertBag_AttributeCertificate, id_CertBag_SDSICertificate, id_CertBag_X509Certificate, id_CertificateIssuer, id_CertificatePolicies, id_ContentType_Data, id_ContentType_EncryptedData, id_ContentType_EnvelopedData, id_ContentType_SignedData, id_ExtKeyUsage, id_FreshestCRL, id_InhibitAnyPolicy, id_InvalidityDate, id_IssuerAltName, id_IssuingDistributionPoint, id_KeyUsage, id_MicrosoftAppPolicies, id_MicrosoftCaVersion, id_MicrosoftCertTemplateV1, id_MicrosoftCertTemplateV2, id_MicrosoftPrevCaCertHash, id_NameConstraints, id_PKIX_OCSP_Basic, id_PolicyConstraints, id_PolicyMappings, id_PrivateKeyUsagePeriod, id_QCStatements, id_SignedCertificateTimestampList, id_SubjectAltName, id_SubjectDirectoryAttributes, id_SubjectInfoAccess, id_SubjectKeyIdentifier, id_ad, id_ad_caIssuers, id_ad_ocsp, id_eContentType_TSTInfo, id_pkix, id_sha1, id_sha256, id_sha384, id_sha512, kdf, setEngine, stringPrep, verifySCTsForCertificate, MLDSAPublicKey }; +diff --git a/toolkit/locales/en-US/toolkit/about/certviewer.ftl b/toolkit/locales/en-US/toolkit/about/certviewer.ftl +--- a/toolkit/locales/en-US/toolkit/about/certviewer.ftl ++++ b/toolkit/locales/en-US/toolkit/about/certviewer.ftl +@@ -45,20 +45,22 @@ + certificate-viewer-organization = Organization + certificate-viewer-organizational-unit = Organizational Unit + certificate-viewer-policy = Policy + certificate-viewer-protocol = Protocol + certificate-viewer-public-value = Public Value ++certificate-viewer-mldsa-public-value = Public Value + certificate-viewer-purposes = Purposes + certificate-viewer-qualifier = Qualifier + certificate-viewer-qualifiers = Qualifiers + certificate-viewer-required = Required + certificate-viewer-unsupported = <unsupported> + # Inc. means Incorporated, e.g GitHub is incorporated in Delaware + certificate-viewer-inc-state-province = Inc. State/Province + certificate-viewer-state-province = State/Province + certificate-viewer-sha-1 = SHA-1 + certificate-viewer-sha-256 = SHA-256 ++certificate-viewer-security-level = Security Level + certificate-viewer-serial-number = Serial Number + certificate-viewer-signature-algorithm = Signature Algorithm + certificate-viewer-signature-scheme = Signature Scheme + certificate-viewer-timestamp = Timestamp + certificate-viewer-value = Value + diff --git a/SOURCES/thunderbird-add-mlkem768-secp256r1-support.patch b/SOURCES/thunderbird-add-mlkem768-secp256r1-support.patch new file mode 100644 index 0000000..bea8377 --- /dev/null +++ b/SOURCES/thunderbird-add-mlkem768-secp256r1-support.patch @@ -0,0 +1,190 @@ +diff --git a/comm/third_party/rust/neqo-crypto/.cargo-checksum.json b/comm/third_party/rust/neqo-crypto/.cargo-checksum.json +index 85f14fe2f4..b7af45a5de 100644 +--- a/comm/third_party/rust/neqo-crypto/.cargo-checksum.json ++++ b/comm/third_party/rust/neqo-crypto/.cargo-checksum.json +@@ -1 +1 @@ +-{"files":{"Cargo.toml":"a57adef48614a58209447e8bd115a2de3d8a42917a0b9a2ae9a97cabc3400c6a","bindings/bindings.toml":"e7e4b75736cfcf4d52febacb99a6f6c6c7b1d648ed8bdc424648be876c850e91","bindings/nspr_err.h":"2d5205d017b536c2d838bcf9bc4ec79f96dd50e7bb9b73892328781f1ee6629d","bindings/nspr_error.h":"e41c03c77b8c22046f8618832c9569fbcc7b26d8b9bbc35eea7168f35e346889","bindings/nspr_io.h":"085b289849ef0e77f88512a27b4d9bdc28252bd4d39c6a17303204e46ef45f72","bindings/nspr_time.h":"2e637fd338a5cf0fd3fb0070a47f474a34c2a7f4447f31b6875f5a9928d0a261","bindings/nss_ciphers.h":"95ec6344a607558b3c5ba8510f463b6295f3a2fb3f538a01410531045a5f62d1","bindings/nss_init.h":"ef49045063782fb612aff459172cc6a89340f15005808608ade5320ca9974310","bindings/nss_p11.h":"0b81e64fe6db49b2ecff94edd850be111ef99ec11220e88ceb1c67be90143a78","bindings/nss_secerr.h":"713e8368bdae5159af7893cfa517dabfe5103cede051dee9c9557c850a2defc6","bindings/nss_ssl.h":"af222fb957b989e392e762fa2125c82608a0053aff4fb97e556691646c88c335","bindings/nss_sslerr.h":"24b97f092183d8486f774cdaef5030d0249221c78343570d83a4ee5b594210ae","bindings/nss_sslopt.h":"b7807eb7abdad14db6ad7bc51048a46b065a0ea65a4508c95a12ce90e59d1eea","build.rs":"2f54f79958878ed7988441955344dd1a2a079b1bb409e8f12a70284fd7e351ef","min_version.txt":"0f9ddf9ddaeb5137a5ab3d238d06286822f9579b1f46ba76312a8c6d76176500","src/aead.rs":"08d7cad82e3bec32661cfd1689e6611b30ae328ec88481cb32201dd255777365","src/aead_null.rs":"a766e2f71fd8b77a8f81bc60aaaafcffb6aef1f0a1f39ea07fef45b3696718ce","src/agent.rs":"ec90d7556231c57da3a191f508eaf1f820f22d6b7912ee45d1a594eb0fea7a82","src/agentio.rs":"1baecfb725b54717a6a74bb4664692d187f62747cc5e0495f59b06729f96dea2","src/auth.rs":"7a1524bef0a0c71616f5ee8b3976d66201210b809271bcf5d06c0e560ae482af","src/cert.rs":"4fdaa3834d8a72f41198449010fd5c3f6be6a54e429427c37bde5aab9421585c","src/constants.rs":"50c1b84e06cd9a71bb9199f2518947a4d4ad3e5c33c1b86c585486dc43e872a0","src/ech.rs":"19d16af5a30e2060a8942a72487bd820c0d9c62ff1d3c490871752c56781c44b","src/err.rs":"4c7d0b46955b58aa9375210c2c5d24012056c3ad8a856b72d2c7c9542cc97046","src/exp.rs":"cd864fb5a61cd1472baa5b1d0951fc712753c22d21af83ebed09a01585f33b48","src/ext.rs":"a5676f8b9815cc7f6ed1da6fea091cf8754d8b80e90d37b726e905abe18930f8","src/hkdf.rs":"76c5abc8b2d6ee12d8a86cd730af2cf47a59b2fbfd3b8a635a1826636156794d","src/hp.rs":"6adf4ad78b5a065ab7310c69ad239eec156256043e2c185bf60b9d1f12ab1be4","src/lib.rs":"3ab979c264a909e663c5ef140cd57013180745b99937671c73a9003ca6347f41","src/min_version.rs":"c6e1f98b9f56db0622ac38c1be131c55acf4a0f09ed0d6283f4d6308e2d1301a","src/p11.rs":"49bcde067e55228dab483bd11b70dc29d40dc3c59fa60136daccb205dc468df0","src/prio.rs":"1858088afd2668e8fbff56959765b7d4df09342371b9282ade27bb4d7bd6ce69","src/replay.rs":"594ce92f368cbc5fb71ebfb62214f07d1e86df8e5ce94255d5593ffabb91cd03","src/result.rs":"5a76688787741de7a935dbbab4bcb917d481d1c9c50a34df7e510036feb3da17","src/secrets.rs":"5d85b1e15f47cd267fe70fa8ea7e4ebc4b07eab7713f451afeefcf15f146f8a5","src/selfencrypt.rs":"4f106465f582c38d3bb04cb5cbcbf65a349e3186784726d9f2bf511a4a4a35ee","src/ssl.rs":"04950bb534b5304eb417909a3a39ebaa9be234c7c13eacdc41c00a8edab1b09f","src/time.rs":"22989caf3dab85cfe955cc279fcca98a6df02d14fcd0e93cac7b39374b8b5763","tests/aead.rs":"e36ae77802df1ea6d17cfd1bd2178a3706089577d6fd1554ca86e748b8b235b9","tests/agent.rs":"fb95a2d5c86ce3fafcb127cd0a2a163e5ee70baf09b2c8483e4d1fb25644cee2","tests/ext.rs":"57af4e2df211fa8afdb73125d4344ef5c70c1ea4579107c3e6f5746308ee3e7b","tests/handshake.rs":"df8a901048268a390785e05e28cbc97b82e41e47d7eab2d5c0a57e434ca1adcf","tests/hkdf.rs":"1d2098dc8398395864baf13e4886cfd1da6d36118727c3b264f457ee3da6b048","tests/hp.rs":"7ee5d7290a3f61af67ad2c94670cba376027136370d9784948db655b7e00fe54","tests/init.rs":"3cfe8411ca31ad7dfb23822bb1570e1a5b2b334857173bdd7df086b65b81d95a","tests/selfencrypt.rs":"b65aed70e83dce660017159fc8a956d3b52e0807b590ad8d0a3a4265caa8c1fa"},"package":null} +\ No newline at end of file ++{"files":{"Cargo.toml":"a57adef48614a58209447e8bd115a2de3d8a42917a0b9a2ae9a97cabc3400c6a","bindings/bindings.toml":"e7e4b75736cfcf4d52febacb99a6f6c6c7b1d648ed8bdc424648be876c850e91","bindings/nspr_err.h":"2d5205d017b536c2d838bcf9bc4ec79f96dd50e7bb9b73892328781f1ee6629d","bindings/nspr_error.h":"e41c03c77b8c22046f8618832c9569fbcc7b26d8b9bbc35eea7168f35e346889","bindings/nspr_io.h":"085b289849ef0e77f88512a27b4d9bdc28252bd4d39c6a17303204e46ef45f72","bindings/nspr_time.h":"2e637fd338a5cf0fd3fb0070a47f474a34c2a7f4447f31b6875f5a9928d0a261","bindings/nss_ciphers.h":"95ec6344a607558b3c5ba8510f463b6295f3a2fb3f538a01410531045a5f62d1","bindings/nss_init.h":"ef49045063782fb612aff459172cc6a89340f15005808608ade5320ca9974310","bindings/nss_p11.h":"0b81e64fe6db49b2ecff94edd850be111ef99ec11220e88ceb1c67be90143a78","bindings/nss_secerr.h":"713e8368bdae5159af7893cfa517dabfe5103cede051dee9c9557c850a2defc6","bindings/nss_ssl.h":"af222fb957b989e392e762fa2125c82608a0053aff4fb97e556691646c88c335","bindings/nss_sslerr.h":"24b97f092183d8486f774cdaef5030d0249221c78343570d83a4ee5b594210ae","bindings/nss_sslopt.h":"b7807eb7abdad14db6ad7bc51048a46b065a0ea65a4508c95a12ce90e59d1eea","build.rs":"2f54f79958878ed7988441955344dd1a2a079b1bb409e8f12a70284fd7e351ef","min_version.txt":"0f9ddf9ddaeb5137a5ab3d238d06286822f9579b1f46ba76312a8c6d76176500","src/aead.rs":"08d7cad82e3bec32661cfd1689e6611b30ae328ec88481cb32201dd255777365","src/aead_null.rs":"a766e2f71fd8b77a8f81bc60aaaafcffb6aef1f0a1f39ea07fef45b3696718ce","src/agent.rs":"ec90d7556231c57da3a191f508eaf1f820f22d6b7912ee45d1a594eb0fea7a82","src/agentio.rs":"1baecfb725b54717a6a74bb4664692d187f62747cc5e0495f59b06729f96dea2","src/auth.rs":"7a1524bef0a0c71616f5ee8b3976d66201210b809271bcf5d06c0e560ae482af","src/cert.rs":"4fdaa3834d8a72f41198449010fd5c3f6be6a54e429427c37bde5aab9421585c","src/constants.rs":"fb3b6353c0ed4683a1489e7c730b480e8c1895800bd024376165f722d8211d47","src/ech.rs":"19d16af5a30e2060a8942a72487bd820c0d9c62ff1d3c490871752c56781c44b","src/err.rs":"4c7d0b46955b58aa9375210c2c5d24012056c3ad8a856b72d2c7c9542cc97046","src/exp.rs":"cd864fb5a61cd1472baa5b1d0951fc712753c22d21af83ebed09a01585f33b48","src/ext.rs":"a5676f8b9815cc7f6ed1da6fea091cf8754d8b80e90d37b726e905abe18930f8","src/hkdf.rs":"76c5abc8b2d6ee12d8a86cd730af2cf47a59b2fbfd3b8a635a1826636156794d","src/hp.rs":"6adf4ad78b5a065ab7310c69ad239eec156256043e2c185bf60b9d1f12ab1be4","src/lib.rs":"3ab979c264a909e663c5ef140cd57013180745b99937671c73a9003ca6347f41","src/min_version.rs":"c6e1f98b9f56db0622ac38c1be131c55acf4a0f09ed0d6283f4d6308e2d1301a","src/p11.rs":"49bcde067e55228dab483bd11b70dc29d40dc3c59fa60136daccb205dc468df0","src/prio.rs":"1858088afd2668e8fbff56959765b7d4df09342371b9282ade27bb4d7bd6ce69","src/replay.rs":"594ce92f368cbc5fb71ebfb62214f07d1e86df8e5ce94255d5593ffabb91cd03","src/result.rs":"5a76688787741de7a935dbbab4bcb917d481d1c9c50a34df7e510036feb3da17","src/secrets.rs":"5d85b1e15f47cd267fe70fa8ea7e4ebc4b07eab7713f451afeefcf15f146f8a5","src/selfencrypt.rs":"4f106465f582c38d3bb04cb5cbcbf65a349e3186784726d9f2bf511a4a4a35ee","src/ssl.rs":"04950bb534b5304eb417909a3a39ebaa9be234c7c13eacdc41c00a8edab1b09f","src/time.rs":"22989caf3dab85cfe955cc279fcca98a6df02d14fcd0e93cac7b39374b8b5763","tests/aead.rs":"e36ae77802df1ea6d17cfd1bd2178a3706089577d6fd1554ca86e748b8b235b9","tests/agent.rs":"fb95a2d5c86ce3fafcb127cd0a2a163e5ee70baf09b2c8483e4d1fb25644cee2","tests/ext.rs":"57af4e2df211fa8afdb73125d4344ef5c70c1ea4579107c3e6f5746308ee3e7b","tests/handshake.rs":"df8a901048268a390785e05e28cbc97b82e41e47d7eab2d5c0a57e434ca1adcf","tests/hkdf.rs":"1d2098dc8398395864baf13e4886cfd1da6d36118727c3b264f457ee3da6b048","tests/hp.rs":"7ee5d7290a3f61af67ad2c94670cba376027136370d9784948db655b7e00fe54","tests/init.rs":"3cfe8411ca31ad7dfb23822bb1570e1a5b2b334857173bdd7df086b65b81d95a","tests/selfencrypt.rs":"b65aed70e83dce660017159fc8a956d3b52e0807b590ad8d0a3a4265caa8c1fa"},"package":null} +\ No newline at end of file +diff --git a/comm/third_party/rust/neqo-crypto/src/constants.rs b/comm/third_party/rust/neqo-crypto/src/constants.rs +index c3cb109c6f..e0bdc5c3f4 100644 +--- a/comm/third_party/rust/neqo-crypto/src/constants.rs ++++ b/comm/third_party/rust/neqo-crypto/src/constants.rs +@@ -84,6 +84,7 @@ remap_enum! { + TLS_GRP_EC_X25519 = ssl_grp_ec_curve25519, + TLS_GRP_KEM_XYBER768D00 = ssl_grp_kem_xyber768d00, + TLS_GRP_KEM_MLKEM768X25519 = ssl_grp_kem_x25519mlkem768, ++ TLS_GRP_KEM_MLKEM768SECP256R1 = ssl_grp_kem_secp256r1mlkem768, + } + } + +diff --git a/comm/third_party/rust/neqo-transport/.cargo-checksum.json b/comm/third_party/rust/neqo-transport/.cargo-checksum.json +index 2ab6177fb5..17c7e641ee 100644 +--- a/comm/third_party/rust/neqo-transport/.cargo-checksum.json ++++ b/comm/third_party/rust/neqo-transport/.cargo-checksum.json +@@ -1 +1 @@ +-{"files":{"Cargo.toml":"b112e3e53a47e19caa358f4f77cbe1fea81dbceffbe03dd97823295726819a84","benches/min_bandwidth.rs":"11eeb817276c10522159662d1112acae00facbf6a0c8da1d94d0a50583fdf38c","benches/range_tracker.rs":"754871ef02608efab05f00c7dc6ad8ac559d0c2feb2072ea0f036c26b6285a8d","benches/rx_stream_orderer.rs":"2e15891b1db102ed7abdd07d1524acf6d5c0e0c32d935c735c04c40becda5718","benches/sent_packets.rs":"4f32d5c64d6b168b224e928abb647a3b42d54ed18cdec81e6ba6eae61be569bd","benches/transfer.rs":"933cf28a499e1376ce3d9c3130bd2ee69f0da9a99606a95e96328068640d6179","build.rs":"78ec79c93bf13c3a40ceef8bba1ea2eada61c8f2dfc15ea7bf117958d367949c","src/ackrate.rs":"e826470adf7f050bc217fd78df30a4e962787a1621a9116448c142e3a16ca909","src/addr_valid.rs":"53a301a3ab717ef78a886a54611bdcc324b21f1dd4f59e2943ae3978c5980990","src/cc/classic_cc.rs":"c2705695ce42cfdd43dc6f0e908d78b5e0ce20fde38c9033708b060330ac1f31","src/cc/cubic.rs":"1c8eb0a0945874be26a3c144d01fa8427a384c2e1aebafb1d293041811039e24","src/cc/mod.rs":"b290fcda18bc0fab2808a57dc0136b1e8721459175d12de5cf81164920f9b6fb","src/cc/new_reno.rs":"f438b5ab39413f8a9dad3575c6229bbae12140a316d8da34b5dcd9397551d5f7","src/cc/tests/cubic.rs":"79f17c380626b8ec26a8b4e070d2da1c9dd973890f1939afa5c606183a7d7a34","src/cc/tests/mod.rs":"017bf402a9a8c71b5c43343677635644babb57a849d81d0affc328b4b4b9cebb","src/cc/tests/new_reno.rs":"de2919e8c7e7e07fb8e14bb643518180ecf21de11fe76a6a84face9e38fc2122","src/cid.rs":"c20083329534206551c0a7b84bf677af1145d4af25b78640c4e92f37ae89ff52","src/connection/idle.rs":"a7d261859f3b62a2c9dc786367371dd114d6d2060bd32eba221177c07d2c8032","src/connection/mod.rs":"b31177e05d11516c02c983019d44531a2d56b15ccb5c25713e3bf5f5212e23bd","src/connection/params.rs":"ef23708f9b0a7f526e5224ed489055a499909384ef501cb96503e4e98c66dd1b","src/connection/saved.rs":"db677a12e4528a97c4d27e31f0f08d70b8fed0bfad460bbc84c42fa0941b0db3","src/connection/state.rs":"0be17df5d535f4c704d685a439054e7a9f3070ee080d778f4b89a5ae79ff5335","src/connection/test_internal.rs":"f3ebfe97b25c9c716d41406066295e5aff4e96a3051ef4e2b5fb258282bbc14c","src/connection/tests/ackrate.rs":"3a242d85de100dc7500074969fab12a64e62f6a48994a5486d28e15c27c4faa1","src/connection/tests/cc.rs":"e32a5e435435584147a832ef8af610b42e79650d2e3b23dcfea96a2056ca4311","src/connection/tests/close.rs":"c3b858cb403391879f7ed1d46790c65ff3fe05f80ace2cdb8b7128f974537fe7","src/connection/tests/datagram.rs":"7941f1917a78cfabb6f3d1b5fb010215c9278b75a39a2f568c1780304d5e98af","src/connection/tests/ecn.rs":"247cbc07eef9a39ca7c64e092f8237e91e264abd9b10e4e23a1d816c899f59c8","src/connection/tests/handshake.rs":"806bbc8386591276beefcfffeeee7de9da7caf7d97ae59368fda7021aaa948e4","src/connection/tests/idle.rs":"0ddcd7d736e45bc81e25b18e344753d00d53dba06b305006f7150d2446f63687","src/connection/tests/keys.rs":"6ced623655b18fbbd00a6b34663be8eccad0fd7b869029e11b71da3d731f63f6","src/connection/tests/migration.rs":"0c3499c6bb89cb2a89ad4252603292f00339142ce5236fc282351c01fd090886","src/connection/tests/mod.rs":"0b4e2385d376a08e37c4294b12c23e59fffaf973ce8931c4d37f5db03d83cc54","src/connection/tests/null.rs":"d39d34c895c40ea88bcc137cba43c34386ef9759c6f66f3487ffd41a5099feb8","src/connection/tests/priority.rs":"2f9ef42512cd05f5a3b7194b70ba0c25738b6f75901e4ca2258bf2cf2568d23a","src/connection/tests/recovery.rs":"fbc2353b6f9cbe4b047ec782c3a1108552f6f16e19bff29f3d41e7a42aa78060","src/connection/tests/resumption.rs":"1ff6b7005673f3bc9b791059946fbb4bf2b1f2677c737fa215e335e65bd0d582","src/connection/tests/stream.rs":"777e372827632172c5ceb1598f9b18bccf2a0a1ceba442ae09263dda58f0673e","src/connection/tests/vn.rs":"75127c42d20243ad553871b64a22b8c6953ca4d26bc0de898dfab34928d1e647","src/connection/tests/zerortt.rs":"94a5a705283c31f50f68a74c49d4bba4ba2a51d8122d9e50a14a831a902f8578","src/crypto.rs":"312d27efcb6ce334143f1c62ae821e2915f06b18284312de5af41adb9555b513","src/ecn.rs":"1f0ee1cee631ecf08f6db73c909e29609ab513a58d3c7e7a6f3622486dcb8477","src/events.rs":"2c5d9ddef25e7547c9aff9688f4489bcb1788453293692c5bf0681e09d88b685","src/fc.rs":"7fc2a8eaf99235d1dc3734c04c37d8a0b14fe2463d71fbbc9ce2d946ebd0ee3a","src/frame.rs":"a085a0adf7dc319958d49c91462d2c661a547f902d82448fc55c7df86fb6817a","src/lib.rs":"2bfcf602f5a9d83fcd8c90daee6d38403c341a6974dca0347dde057141b6e8e7","src/pace.rs":"a6c6754a21b59b7955a570162f12015bdc65c5f0e497ce650062a5a92d5abb06","src/packet/metadata.rs":"68ee0b9350bcb8bc1078de728e49695cd784a48d106da0128c1006c371d49b84","src/packet/mod.rs":"b68c79515d8ff76cc693fba9b945596ef8b2227a3baccd1c49bccc6b51b4950e","src/packet/retry.rs":"12d4564f9fa682e82fb9604bcace35b478efdd35407c884cff839d9e02d7fadf","src/path.rs":"96c1fedd5c701905112e9aa586efd4bbc2d858b36abc5be12cca1319165c1590","src/pmtud.rs":"304433d6a905946481a04fc765becbfc33ff120f28a96d71d59a3034c39e642d","src/qlog.rs":"0011e04e264032de77470b6dcf57d49aa5d69572c080670e0d8a10f522874f42","src/quic_datagrams.rs":"8c3ad548a184ab8e7039bf180a983815daf490821b98bcd1211fd29eab41f3d6","src/recovery/mod.rs":"852bd9cc8e72ccf059e9ae7600977c024b5c2cca847d08cbac1052075f657229","src/recovery/sent.rs":"f6d4e90c99cf3c77d990748825f65a638bbdfe170d0d09774000ec3b705243e1","src/recovery/token.rs":"5a274b0587c7754344c270d06627b8dd42f556cae0e957a6855a709d130cb4ac","src/recv_stream.rs":"c4feed193f84de9f944d8102b3d49206a3dc52da8c86ca882f41588934e4c5c4","src/rtt.rs":"cbfa57cf7c258126a00d1bc5584cd3ead8a0f6f85be893c4a86497d6cfbe2323","src/send_stream.rs":"baa24dcf37b77e840b40937ae5b1b48692db8632c7e07c22bdbae23056e7bea0","src/sender.rs":"070077996bd07c25abd63d3cf26bee94fd53bbca951ae1e987a7d50558685e53","src/server.rs":"6a5dbfb1115905bda3c98238f9d4bbf6d7f661c3363c2ef0578eef865af6aef6","src/sni.rs":"1cbfd737226ad9b28887fb96793056e1f9e747b3769aea6cfd77da986d8cf2e1","src/stats.rs":"072f7afc190fc9eaf7db05ba84f8a76243d50602c61efece56fde14605012966","src/stream_id.rs":"8b7827e84a77de8107259c68060d095fbdc3fe434eb21eb9f044faedf0c9cbf8","src/streams.rs":"663688d56ddf556276c39c42aa20058d41dafda3458bfc1dc8e3683787853fbb","src/tparams.rs":"2188aea252e52d9a5bbfe05719dac9644af7aacb77a2a8ed1ed3ce865d35c6a2","src/tracking.rs":"53547e384b72175da0ea8cab25dfaa2c4b377ee0c2280c091f097b2aad5781f1","src/version.rs":"3676e8d34211599f344e4b9daa21d3897b3ce56b2cae738bbc6552db03d4bdad","tests/common/mod.rs":"8a2f781a16e74760ea57a09c4fc9adfe6a8ce56a6ecb7b1e9445e37125ea8d88","tests/conn_vectors.rs":"0e4a1b92c02b527842c127b789e70f6c4372c2b61b1a59a8e695f744ce155e2a","tests/connection.rs":"46be10c37090516c2fc4837059b3e5c8caf5ed7db9bc379ecf996a2f6e6b101a","tests/network.rs":"2e49aeca3dd1457758a13a56f48ddcd0d5af921e9aca59ed831b95ef4311dc1b","tests/retry.rs":"4306a4fd1d02449f1675882af1f09901a8ed4fe744a1daae189090292c81711c","tests/server.rs":"327880d12d84c3d164461888bc22311634a28eb0b559583a0126cbca0771fb59","tests/sni.rs":"2cbcfe218f43fa8c0a8da0497d8aed1ca2e590f41071428d85e3c3bca6135063","tests/stats.rs":"af8c1da46e984b55b172118aff4ad33be2375443f405e297d40981e65eb4d0cf"},"package":null} +\ No newline at end of file ++{"files":{"Cargo.toml":"b112e3e53a47e19caa358f4f77cbe1fea81dbceffbe03dd97823295726819a84","benches/min_bandwidth.rs":"11eeb817276c10522159662d1112acae00facbf6a0c8da1d94d0a50583fdf38c","benches/range_tracker.rs":"754871ef02608efab05f00c7dc6ad8ac559d0c2feb2072ea0f036c26b6285a8d","benches/rx_stream_orderer.rs":"2e15891b1db102ed7abdd07d1524acf6d5c0e0c32d935c735c04c40becda5718","benches/sent_packets.rs":"4f32d5c64d6b168b224e928abb647a3b42d54ed18cdec81e6ba6eae61be569bd","benches/transfer.rs":"933cf28a499e1376ce3d9c3130bd2ee69f0da9a99606a95e96328068640d6179","build.rs":"78ec79c93bf13c3a40ceef8bba1ea2eada61c8f2dfc15ea7bf117958d367949c","src/ackrate.rs":"e826470adf7f050bc217fd78df30a4e962787a1621a9116448c142e3a16ca909","src/addr_valid.rs":"53a301a3ab717ef78a886a54611bdcc324b21f1dd4f59e2943ae3978c5980990","src/cc/classic_cc.rs":"c2705695ce42cfdd43dc6f0e908d78b5e0ce20fde38c9033708b060330ac1f31","src/cc/cubic.rs":"1c8eb0a0945874be26a3c144d01fa8427a384c2e1aebafb1d293041811039e24","src/cc/mod.rs":"b290fcda18bc0fab2808a57dc0136b1e8721459175d12de5cf81164920f9b6fb","src/cc/new_reno.rs":"f438b5ab39413f8a9dad3575c6229bbae12140a316d8da34b5dcd9397551d5f7","src/cc/tests/cubic.rs":"79f17c380626b8ec26a8b4e070d2da1c9dd973890f1939afa5c606183a7d7a34","src/cc/tests/mod.rs":"017bf402a9a8c71b5c43343677635644babb57a849d81d0affc328b4b4b9cebb","src/cc/tests/new_reno.rs":"de2919e8c7e7e07fb8e14bb643518180ecf21de11fe76a6a84face9e38fc2122","src/cid.rs":"c20083329534206551c0a7b84bf677af1145d4af25b78640c4e92f37ae89ff52","src/connection/idle.rs":"a7d261859f3b62a2c9dc786367371dd114d6d2060bd32eba221177c07d2c8032","src/connection/mod.rs":"b31177e05d11516c02c983019d44531a2d56b15ccb5c25713e3bf5f5212e23bd","src/connection/params.rs":"ef23708f9b0a7f526e5224ed489055a499909384ef501cb96503e4e98c66dd1b","src/connection/saved.rs":"db677a12e4528a97c4d27e31f0f08d70b8fed0bfad460bbc84c42fa0941b0db3","src/connection/state.rs":"0be17df5d535f4c704d685a439054e7a9f3070ee080d778f4b89a5ae79ff5335","src/connection/test_internal.rs":"f3ebfe97b25c9c716d41406066295e5aff4e96a3051ef4e2b5fb258282bbc14c","src/connection/tests/ackrate.rs":"3a242d85de100dc7500074969fab12a64e62f6a48994a5486d28e15c27c4faa1","src/connection/tests/cc.rs":"e32a5e435435584147a832ef8af610b42e79650d2e3b23dcfea96a2056ca4311","src/connection/tests/close.rs":"c3b858cb403391879f7ed1d46790c65ff3fe05f80ace2cdb8b7128f974537fe7","src/connection/tests/datagram.rs":"7941f1917a78cfabb6f3d1b5fb010215c9278b75a39a2f568c1780304d5e98af","src/connection/tests/ecn.rs":"247cbc07eef9a39ca7c64e092f8237e91e264abd9b10e4e23a1d816c899f59c8","src/connection/tests/handshake.rs":"806bbc8386591276beefcfffeeee7de9da7caf7d97ae59368fda7021aaa948e4","src/connection/tests/idle.rs":"0ddcd7d736e45bc81e25b18e344753d00d53dba06b305006f7150d2446f63687","src/connection/tests/keys.rs":"6ced623655b18fbbd00a6b34663be8eccad0fd7b869029e11b71da3d731f63f6","src/connection/tests/migration.rs":"0c3499c6bb89cb2a89ad4252603292f00339142ce5236fc282351c01fd090886","src/connection/tests/mod.rs":"0b4e2385d376a08e37c4294b12c23e59fffaf973ce8931c4d37f5db03d83cc54","src/connection/tests/null.rs":"d39d34c895c40ea88bcc137cba43c34386ef9759c6f66f3487ffd41a5099feb8","src/connection/tests/priority.rs":"2f9ef42512cd05f5a3b7194b70ba0c25738b6f75901e4ca2258bf2cf2568d23a","src/connection/tests/recovery.rs":"fbc2353b6f9cbe4b047ec782c3a1108552f6f16e19bff29f3d41e7a42aa78060","src/connection/tests/resumption.rs":"1ff6b7005673f3bc9b791059946fbb4bf2b1f2677c737fa215e335e65bd0d582","src/connection/tests/stream.rs":"777e372827632172c5ceb1598f9b18bccf2a0a1ceba442ae09263dda58f0673e","src/connection/tests/vn.rs":"75127c42d20243ad553871b64a22b8c6953ca4d26bc0de898dfab34928d1e647","src/connection/tests/zerortt.rs":"94a5a705283c31f50f68a74c49d4bba4ba2a51d8122d9e50a14a831a902f8578","src/crypto.rs":"3ea51742021e6c4d3b7f69747a80baf35a1166f0a3caac521dc8aa5c3181e40b","src/ecn.rs":"1f0ee1cee631ecf08f6db73c909e29609ab513a58d3c7e7a6f3622486dcb8477","src/events.rs":"2c5d9ddef25e7547c9aff9688f4489bcb1788453293692c5bf0681e09d88b685","src/fc.rs":"7fc2a8eaf99235d1dc3734c04c37d8a0b14fe2463d71fbbc9ce2d946ebd0ee3a","src/frame.rs":"a085a0adf7dc319958d49c91462d2c661a547f902d82448fc55c7df86fb6817a","src/lib.rs":"2bfcf602f5a9d83fcd8c90daee6d38403c341a6974dca0347dde057141b6e8e7","src/pace.rs":"a6c6754a21b59b7955a570162f12015bdc65c5f0e497ce650062a5a92d5abb06","src/packet/metadata.rs":"68ee0b9350bcb8bc1078de728e49695cd784a48d106da0128c1006c371d49b84","src/packet/mod.rs":"b68c79515d8ff76cc693fba9b945596ef8b2227a3baccd1c49bccc6b51b4950e","src/packet/retry.rs":"12d4564f9fa682e82fb9604bcace35b478efdd35407c884cff839d9e02d7fadf","src/path.rs":"96c1fedd5c701905112e9aa586efd4bbc2d858b36abc5be12cca1319165c1590","src/pmtud.rs":"304433d6a905946481a04fc765becbfc33ff120f28a96d71d59a3034c39e642d","src/qlog.rs":"0011e04e264032de77470b6dcf57d49aa5d69572c080670e0d8a10f522874f42","src/quic_datagrams.rs":"8c3ad548a184ab8e7039bf180a983815daf490821b98bcd1211fd29eab41f3d6","src/recovery/mod.rs":"852bd9cc8e72ccf059e9ae7600977c024b5c2cca847d08cbac1052075f657229","src/recovery/sent.rs":"f6d4e90c99cf3c77d990748825f65a638bbdfe170d0d09774000ec3b705243e1","src/recovery/token.rs":"5a274b0587c7754344c270d06627b8dd42f556cae0e957a6855a709d130cb4ac","src/recv_stream.rs":"c4feed193f84de9f944d8102b3d49206a3dc52da8c86ca882f41588934e4c5c4","src/rtt.rs":"cbfa57cf7c258126a00d1bc5584cd3ead8a0f6f85be893c4a86497d6cfbe2323","src/send_stream.rs":"baa24dcf37b77e840b40937ae5b1b48692db8632c7e07c22bdbae23056e7bea0","src/sender.rs":"070077996bd07c25abd63d3cf26bee94fd53bbca951ae1e987a7d50558685e53","src/server.rs":"6a5dbfb1115905bda3c98238f9d4bbf6d7f661c3363c2ef0578eef865af6aef6","src/sni.rs":"1cbfd737226ad9b28887fb96793056e1f9e747b3769aea6cfd77da986d8cf2e1","src/stats.rs":"072f7afc190fc9eaf7db05ba84f8a76243d50602c61efece56fde14605012966","src/stream_id.rs":"8b7827e84a77de8107259c68060d095fbdc3fe434eb21eb9f044faedf0c9cbf8","src/streams.rs":"663688d56ddf556276c39c42aa20058d41dafda3458bfc1dc8e3683787853fbb","src/tparams.rs":"2188aea252e52d9a5bbfe05719dac9644af7aacb77a2a8ed1ed3ce865d35c6a2","src/tracking.rs":"53547e384b72175da0ea8cab25dfaa2c4b377ee0c2280c091f097b2aad5781f1","src/version.rs":"3676e8d34211599f344e4b9daa21d3897b3ce56b2cae738bbc6552db03d4bdad","tests/common/mod.rs":"8a2f781a16e74760ea57a09c4fc9adfe6a8ce56a6ecb7b1e9445e37125ea8d88","tests/conn_vectors.rs":"0e4a1b92c02b527842c127b789e70f6c4372c2b61b1a59a8e695f744ce155e2a","tests/connection.rs":"46be10c37090516c2fc4837059b3e5c8caf5ed7db9bc379ecf996a2f6e6b101a","tests/network.rs":"2e49aeca3dd1457758a13a56f48ddcd0d5af921e9aca59ed831b95ef4311dc1b","tests/retry.rs":"4306a4fd1d02449f1675882af1f09901a8ed4fe744a1daae189090292c81711c","tests/server.rs":"327880d12d84c3d164461888bc22311634a28eb0b559583a0126cbca0771fb59","tests/sni.rs":"2cbcfe218f43fa8c0a8da0497d8aed1ca2e590f41071428d85e3c3bca6135063","tests/stats.rs":"af8c1da46e984b55b172118aff4ad33be2375443f405e297d40981e65eb4d0cf"},"package":null} +\ No newline at end of file +diff --git a/comm/third_party/rust/neqo-transport/src/crypto.rs b/comm/third_party/rust/neqo-transport/src/crypto.rs +index f0ffbc40fa..219d005946 100644 +--- a/comm/third_party/rust/neqo-transport/src/crypto.rs ++++ b/comm/third_party/rust/neqo-transport/src/crypto.rs +@@ -22,7 +22,7 @@ use neqo_crypto::{ + PrivateKey, PublicKey, Record, RecordList, ResumptionToken, SymKey, ZeroRttChecker, + TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_CT_HANDSHAKE, + TLS_GRP_EC_SECP256R1, TLS_GRP_EC_SECP384R1, TLS_GRP_EC_SECP521R1, TLS_GRP_EC_X25519, +- TLS_GRP_KEM_MLKEM768X25519, TLS_VERSION_1_3, ++ TLS_GRP_KEM_MLKEM768X25519, TLS_GRP_KEM_MLKEM768SECP256R1, TLS_VERSION_1_3, + }; + + use crate::{ +@@ -81,6 +81,7 @@ impl Crypto { + ])?; + agent.set_groups(if conn_params.mlkem_enabled() { + &[ ++ TLS_GRP_KEM_MLKEM768SECP256R1, + TLS_GRP_KEM_MLKEM768X25519, + TLS_GRP_EC_X25519, + TLS_GRP_EC_SECP256R1, +diff --git a/dom/media/webrtc/transport/transportlayerdtls.cpp b/dom/media/webrtc/transport/transportlayerdtls.cpp +index f242eeacf4..119a94ebae 100644 +--- a/dom/media/webrtc/transport/transportlayerdtls.cpp ++++ b/dom/media/webrtc/transport/transportlayerdtls.cpp +@@ -603,7 +603,7 @@ bool TransportLayerDtls::Setup() { + + // Mlkem must stay the last in the list because if we don't support it + // the amount of supported_groups will be sent without it. +- ssl_grp_kem_mlkem768x25519}; ++ ssl_grp_kem_mlkem768x25519, ssl_grp_kem_secp256r1mlkem768}; + + size_t numGroups = std::size(namedGroups); + if (!(StaticPrefs::security_tls_enable_kyber() && +diff --git a/netwerk/socket/neqo_glue/src/lib.rs b/netwerk/socket/neqo_glue/src/lib.rs +index 21e82b920d..7392ac377c 100644 +--- a/netwerk/socket/neqo_glue/src/lib.rs ++++ b/netwerk/socket/neqo_glue/src/lib.rs +@@ -330,6 +330,7 @@ impl NeqoHttp3Conn { + // These operations are infallible when conn.state == State::Init. + conn.set_groups(&[ + neqo_crypto::TLS_GRP_KEM_MLKEM768X25519, ++ neqo_crypto::TLS_GRP_KEM_MLKEM768SECP256R1, + neqo_crypto::TLS_GRP_EC_X25519, + neqo_crypto::TLS_GRP_EC_SECP256R1, + neqo_crypto::TLS_GRP_EC_SECP384R1, +@@ -338,7 +339,7 @@ impl NeqoHttp3Conn { + .map_err(|_| NS_ERROR_UNEXPECTED)?; + additional_shares += 1; + } +- // If additional_shares == 2, send mlkem768x25519, x25519, and p256. ++ // If additional_shares == 2, send mlkem768x25519, mlkem768secp256r1, x25519, and p256. + // If additional_shares == 1, send {mlkem768x25519, x25519} or {x25519, p256}. + // If additional_shares == 0, send x25519. + conn.send_additional_key_shares(additional_shares) +diff --git a/security/manager/ssl/nsNSSCallbacks.cpp b/security/manager/ssl/nsNSSCallbacks.cpp +index 2dc48c9f4c..4acdd6b177 100644 +--- a/security/manager/ssl/nsNSSCallbacks.cpp ++++ b/security/manager/ssl/nsNSSCallbacks.cpp +@@ -658,6 +658,9 @@ nsCString getKeaGroupName(uint32_t aKeaGroup) { + case ssl_grp_kem_mlkem768x25519: + groupName = "mlkem768x25519"_ns; + break; ++ case ssl_grp_kem_secp256r1mlkem768: ++ groupName = "secp256r1mlkem768"_ns; ++ break; + case ssl_grp_ffdhe_2048: + groupName = "FF 2048"_ns; + break; +diff --git a/security/manager/ssl/nsNSSIOLayer.cpp b/security/manager/ssl/nsNSSIOLayer.cpp +index b1a5f5c2df..dae326baa9 100644 +--- a/security/manager/ssl/nsNSSIOLayer.cpp ++++ b/security/manager/ssl/nsNSSIOLayer.cpp +@@ -450,7 +450,7 @@ bool retryDueToTLSIntolerance(PRErrorCode err, NSSSocketControl* socketInfo) { + errorName.AppendASCII(prErrorName); + } + mozilla::glean::tls::xyber_intolerance_reason.Get(errorName).Add(1); +- // Don't record version intolerance if we sent mlkem768x25519, just force a ++ // Don't record version intolerance if we sent mlkem768x25519/secp256r1mlkem768, just force a + // retry. + return true; + } +@@ -1561,7 +1561,8 @@ static nsresult nsSSLIOLayerSetOptions(PRFileDesc* fd, bool forSTARTTLS, + !(infoObject->GetProviderFlags() & + (nsISocketProvider::BE_CONSERVATIVE | nsISocketProvider::IS_RETRY))) { + const SSLNamedGroup namedGroups[] = { +- ssl_grp_kem_mlkem768x25519, ssl_grp_ec_curve25519, ssl_grp_ec_secp256r1, ++ ssl_grp_kem_mlkem768x25519, ssl_grp_kem_secp256r1mlkem768, ++ ssl_grp_ec_curve25519, ssl_grp_ec_secp256r1, + ssl_grp_ec_secp384r1, ssl_grp_ec_secp521r1, ssl_grp_ffdhe_2048, + ssl_grp_ffdhe_3072}; + if (SECSuccess != +@@ -1574,14 +1575,14 @@ static nsresult nsSSLIOLayerSetOptions(PRFileDesc* fd, bool forSTARTTLS, + const SSLNamedGroup namedGroups[] = { + ssl_grp_ec_curve25519, ssl_grp_ec_secp256r1, ssl_grp_ec_secp384r1, + ssl_grp_ec_secp521r1, ssl_grp_ffdhe_2048, ssl_grp_ffdhe_3072}; +- // Skip the |ssl_grp_kem_mlkem768x25519| entry. ++ // Skip the |ssl_grp_kem_mlkem768x25519| and |ssl_grp_kem_secp256r1mlkem768| entries. + if (SECSuccess != + SSL_NamedGroupConfig(fd, namedGroups, std::size(namedGroups))) { + return NS_ERROR_FAILURE; + } + } + +- // If additional_shares == 2, send mlkem768x25519, x25519, and p256. ++ // If additional_shares == 2, send mlkem768x25519, secp256r1mlkem768, x25519, and p256. + // If additional_shares == 1, send {mlkem768x25519, x25519} or {x25519, p256}. + // If additional_shares == 0, send x25519. + if (SECSuccess != SSL_SendAdditionalKeyShares(fd, additional_shares)) { +diff --git a/third_party/rust/neqo-crypto/.cargo-checksum.json b/third_party/rust/neqo-crypto/.cargo-checksum.json +index 85f14fe2f4..b7af45a5de 100644 +--- a/third_party/rust/neqo-crypto/.cargo-checksum.json ++++ b/third_party/rust/neqo-crypto/.cargo-checksum.json +@@ -1 +1 @@ +-{"files":{"Cargo.toml":"a57adef48614a58209447e8bd115a2de3d8a42917a0b9a2ae9a97cabc3400c6a","bindings/bindings.toml":"e7e4b75736cfcf4d52febacb99a6f6c6c7b1d648ed8bdc424648be876c850e91","bindings/nspr_err.h":"2d5205d017b536c2d838bcf9bc4ec79f96dd50e7bb9b73892328781f1ee6629d","bindings/nspr_error.h":"e41c03c77b8c22046f8618832c9569fbcc7b26d8b9bbc35eea7168f35e346889","bindings/nspr_io.h":"085b289849ef0e77f88512a27b4d9bdc28252bd4d39c6a17303204e46ef45f72","bindings/nspr_time.h":"2e637fd338a5cf0fd3fb0070a47f474a34c2a7f4447f31b6875f5a9928d0a261","bindings/nss_ciphers.h":"95ec6344a607558b3c5ba8510f463b6295f3a2fb3f538a01410531045a5f62d1","bindings/nss_init.h":"ef49045063782fb612aff459172cc6a89340f15005808608ade5320ca9974310","bindings/nss_p11.h":"0b81e64fe6db49b2ecff94edd850be111ef99ec11220e88ceb1c67be90143a78","bindings/nss_secerr.h":"713e8368bdae5159af7893cfa517dabfe5103cede051dee9c9557c850a2defc6","bindings/nss_ssl.h":"af222fb957b989e392e762fa2125c82608a0053aff4fb97e556691646c88c335","bindings/nss_sslerr.h":"24b97f092183d8486f774cdaef5030d0249221c78343570d83a4ee5b594210ae","bindings/nss_sslopt.h":"b7807eb7abdad14db6ad7bc51048a46b065a0ea65a4508c95a12ce90e59d1eea","build.rs":"2f54f79958878ed7988441955344dd1a2a079b1bb409e8f12a70284fd7e351ef","min_version.txt":"0f9ddf9ddaeb5137a5ab3d238d06286822f9579b1f46ba76312a8c6d76176500","src/aead.rs":"08d7cad82e3bec32661cfd1689e6611b30ae328ec88481cb32201dd255777365","src/aead_null.rs":"a766e2f71fd8b77a8f81bc60aaaafcffb6aef1f0a1f39ea07fef45b3696718ce","src/agent.rs":"ec90d7556231c57da3a191f508eaf1f820f22d6b7912ee45d1a594eb0fea7a82","src/agentio.rs":"1baecfb725b54717a6a74bb4664692d187f62747cc5e0495f59b06729f96dea2","src/auth.rs":"7a1524bef0a0c71616f5ee8b3976d66201210b809271bcf5d06c0e560ae482af","src/cert.rs":"4fdaa3834d8a72f41198449010fd5c3f6be6a54e429427c37bde5aab9421585c","src/constants.rs":"50c1b84e06cd9a71bb9199f2518947a4d4ad3e5c33c1b86c585486dc43e872a0","src/ech.rs":"19d16af5a30e2060a8942a72487bd820c0d9c62ff1d3c490871752c56781c44b","src/err.rs":"4c7d0b46955b58aa9375210c2c5d24012056c3ad8a856b72d2c7c9542cc97046","src/exp.rs":"cd864fb5a61cd1472baa5b1d0951fc712753c22d21af83ebed09a01585f33b48","src/ext.rs":"a5676f8b9815cc7f6ed1da6fea091cf8754d8b80e90d37b726e905abe18930f8","src/hkdf.rs":"76c5abc8b2d6ee12d8a86cd730af2cf47a59b2fbfd3b8a635a1826636156794d","src/hp.rs":"6adf4ad78b5a065ab7310c69ad239eec156256043e2c185bf60b9d1f12ab1be4","src/lib.rs":"3ab979c264a909e663c5ef140cd57013180745b99937671c73a9003ca6347f41","src/min_version.rs":"c6e1f98b9f56db0622ac38c1be131c55acf4a0f09ed0d6283f4d6308e2d1301a","src/p11.rs":"49bcde067e55228dab483bd11b70dc29d40dc3c59fa60136daccb205dc468df0","src/prio.rs":"1858088afd2668e8fbff56959765b7d4df09342371b9282ade27bb4d7bd6ce69","src/replay.rs":"594ce92f368cbc5fb71ebfb62214f07d1e86df8e5ce94255d5593ffabb91cd03","src/result.rs":"5a76688787741de7a935dbbab4bcb917d481d1c9c50a34df7e510036feb3da17","src/secrets.rs":"5d85b1e15f47cd267fe70fa8ea7e4ebc4b07eab7713f451afeefcf15f146f8a5","src/selfencrypt.rs":"4f106465f582c38d3bb04cb5cbcbf65a349e3186784726d9f2bf511a4a4a35ee","src/ssl.rs":"04950bb534b5304eb417909a3a39ebaa9be234c7c13eacdc41c00a8edab1b09f","src/time.rs":"22989caf3dab85cfe955cc279fcca98a6df02d14fcd0e93cac7b39374b8b5763","tests/aead.rs":"e36ae77802df1ea6d17cfd1bd2178a3706089577d6fd1554ca86e748b8b235b9","tests/agent.rs":"fb95a2d5c86ce3fafcb127cd0a2a163e5ee70baf09b2c8483e4d1fb25644cee2","tests/ext.rs":"57af4e2df211fa8afdb73125d4344ef5c70c1ea4579107c3e6f5746308ee3e7b","tests/handshake.rs":"df8a901048268a390785e05e28cbc97b82e41e47d7eab2d5c0a57e434ca1adcf","tests/hkdf.rs":"1d2098dc8398395864baf13e4886cfd1da6d36118727c3b264f457ee3da6b048","tests/hp.rs":"7ee5d7290a3f61af67ad2c94670cba376027136370d9784948db655b7e00fe54","tests/init.rs":"3cfe8411ca31ad7dfb23822bb1570e1a5b2b334857173bdd7df086b65b81d95a","tests/selfencrypt.rs":"b65aed70e83dce660017159fc8a956d3b52e0807b590ad8d0a3a4265caa8c1fa"},"package":null} +\ No newline at end of file ++{"files":{"Cargo.toml":"a57adef48614a58209447e8bd115a2de3d8a42917a0b9a2ae9a97cabc3400c6a","bindings/bindings.toml":"e7e4b75736cfcf4d52febacb99a6f6c6c7b1d648ed8bdc424648be876c850e91","bindings/nspr_err.h":"2d5205d017b536c2d838bcf9bc4ec79f96dd50e7bb9b73892328781f1ee6629d","bindings/nspr_error.h":"e41c03c77b8c22046f8618832c9569fbcc7b26d8b9bbc35eea7168f35e346889","bindings/nspr_io.h":"085b289849ef0e77f88512a27b4d9bdc28252bd4d39c6a17303204e46ef45f72","bindings/nspr_time.h":"2e637fd338a5cf0fd3fb0070a47f474a34c2a7f4447f31b6875f5a9928d0a261","bindings/nss_ciphers.h":"95ec6344a607558b3c5ba8510f463b6295f3a2fb3f538a01410531045a5f62d1","bindings/nss_init.h":"ef49045063782fb612aff459172cc6a89340f15005808608ade5320ca9974310","bindings/nss_p11.h":"0b81e64fe6db49b2ecff94edd850be111ef99ec11220e88ceb1c67be90143a78","bindings/nss_secerr.h":"713e8368bdae5159af7893cfa517dabfe5103cede051dee9c9557c850a2defc6","bindings/nss_ssl.h":"af222fb957b989e392e762fa2125c82608a0053aff4fb97e556691646c88c335","bindings/nss_sslerr.h":"24b97f092183d8486f774cdaef5030d0249221c78343570d83a4ee5b594210ae","bindings/nss_sslopt.h":"b7807eb7abdad14db6ad7bc51048a46b065a0ea65a4508c95a12ce90e59d1eea","build.rs":"2f54f79958878ed7988441955344dd1a2a079b1bb409e8f12a70284fd7e351ef","min_version.txt":"0f9ddf9ddaeb5137a5ab3d238d06286822f9579b1f46ba76312a8c6d76176500","src/aead.rs":"08d7cad82e3bec32661cfd1689e6611b30ae328ec88481cb32201dd255777365","src/aead_null.rs":"a766e2f71fd8b77a8f81bc60aaaafcffb6aef1f0a1f39ea07fef45b3696718ce","src/agent.rs":"ec90d7556231c57da3a191f508eaf1f820f22d6b7912ee45d1a594eb0fea7a82","src/agentio.rs":"1baecfb725b54717a6a74bb4664692d187f62747cc5e0495f59b06729f96dea2","src/auth.rs":"7a1524bef0a0c71616f5ee8b3976d66201210b809271bcf5d06c0e560ae482af","src/cert.rs":"4fdaa3834d8a72f41198449010fd5c3f6be6a54e429427c37bde5aab9421585c","src/constants.rs":"fb3b6353c0ed4683a1489e7c730b480e8c1895800bd024376165f722d8211d47","src/ech.rs":"19d16af5a30e2060a8942a72487bd820c0d9c62ff1d3c490871752c56781c44b","src/err.rs":"4c7d0b46955b58aa9375210c2c5d24012056c3ad8a856b72d2c7c9542cc97046","src/exp.rs":"cd864fb5a61cd1472baa5b1d0951fc712753c22d21af83ebed09a01585f33b48","src/ext.rs":"a5676f8b9815cc7f6ed1da6fea091cf8754d8b80e90d37b726e905abe18930f8","src/hkdf.rs":"76c5abc8b2d6ee12d8a86cd730af2cf47a59b2fbfd3b8a635a1826636156794d","src/hp.rs":"6adf4ad78b5a065ab7310c69ad239eec156256043e2c185bf60b9d1f12ab1be4","src/lib.rs":"3ab979c264a909e663c5ef140cd57013180745b99937671c73a9003ca6347f41","src/min_version.rs":"c6e1f98b9f56db0622ac38c1be131c55acf4a0f09ed0d6283f4d6308e2d1301a","src/p11.rs":"49bcde067e55228dab483bd11b70dc29d40dc3c59fa60136daccb205dc468df0","src/prio.rs":"1858088afd2668e8fbff56959765b7d4df09342371b9282ade27bb4d7bd6ce69","src/replay.rs":"594ce92f368cbc5fb71ebfb62214f07d1e86df8e5ce94255d5593ffabb91cd03","src/result.rs":"5a76688787741de7a935dbbab4bcb917d481d1c9c50a34df7e510036feb3da17","src/secrets.rs":"5d85b1e15f47cd267fe70fa8ea7e4ebc4b07eab7713f451afeefcf15f146f8a5","src/selfencrypt.rs":"4f106465f582c38d3bb04cb5cbcbf65a349e3186784726d9f2bf511a4a4a35ee","src/ssl.rs":"04950bb534b5304eb417909a3a39ebaa9be234c7c13eacdc41c00a8edab1b09f","src/time.rs":"22989caf3dab85cfe955cc279fcca98a6df02d14fcd0e93cac7b39374b8b5763","tests/aead.rs":"e36ae77802df1ea6d17cfd1bd2178a3706089577d6fd1554ca86e748b8b235b9","tests/agent.rs":"fb95a2d5c86ce3fafcb127cd0a2a163e5ee70baf09b2c8483e4d1fb25644cee2","tests/ext.rs":"57af4e2df211fa8afdb73125d4344ef5c70c1ea4579107c3e6f5746308ee3e7b","tests/handshake.rs":"df8a901048268a390785e05e28cbc97b82e41e47d7eab2d5c0a57e434ca1adcf","tests/hkdf.rs":"1d2098dc8398395864baf13e4886cfd1da6d36118727c3b264f457ee3da6b048","tests/hp.rs":"7ee5d7290a3f61af67ad2c94670cba376027136370d9784948db655b7e00fe54","tests/init.rs":"3cfe8411ca31ad7dfb23822bb1570e1a5b2b334857173bdd7df086b65b81d95a","tests/selfencrypt.rs":"b65aed70e83dce660017159fc8a956d3b52e0807b590ad8d0a3a4265caa8c1fa"},"package":null} +\ No newline at end of file +diff --git a/third_party/rust/neqo-crypto/src/constants.rs b/third_party/rust/neqo-crypto/src/constants.rs +index c3cb109c6f..e0bdc5c3f4 100644 +--- a/third_party/rust/neqo-crypto/src/constants.rs ++++ b/third_party/rust/neqo-crypto/src/constants.rs +@@ -84,6 +84,7 @@ remap_enum! { + TLS_GRP_EC_X25519 = ssl_grp_ec_curve25519, + TLS_GRP_KEM_XYBER768D00 = ssl_grp_kem_xyber768d00, + TLS_GRP_KEM_MLKEM768X25519 = ssl_grp_kem_x25519mlkem768, ++ TLS_GRP_KEM_MLKEM768SECP256R1 = ssl_grp_kem_secp256r1mlkem768, + } + } + +diff --git a/third_party/rust/neqo-transport/.cargo-checksum.json b/third_party/rust/neqo-transport/.cargo-checksum.json +index 2ab6177fb5..17c7e641ee 100644 +--- a/third_party/rust/neqo-transport/.cargo-checksum.json ++++ b/third_party/rust/neqo-transport/.cargo-checksum.json +@@ -1 +1 @@ +-{"files":{"Cargo.toml":"b112e3e53a47e19caa358f4f77cbe1fea81dbceffbe03dd97823295726819a84","benches/min_bandwidth.rs":"11eeb817276c10522159662d1112acae00facbf6a0c8da1d94d0a50583fdf38c","benches/range_tracker.rs":"754871ef02608efab05f00c7dc6ad8ac559d0c2feb2072ea0f036c26b6285a8d","benches/rx_stream_orderer.rs":"2e15891b1db102ed7abdd07d1524acf6d5c0e0c32d935c735c04c40becda5718","benches/sent_packets.rs":"4f32d5c64d6b168b224e928abb647a3b42d54ed18cdec81e6ba6eae61be569bd","benches/transfer.rs":"933cf28a499e1376ce3d9c3130bd2ee69f0da9a99606a95e96328068640d6179","build.rs":"78ec79c93bf13c3a40ceef8bba1ea2eada61c8f2dfc15ea7bf117958d367949c","src/ackrate.rs":"e826470adf7f050bc217fd78df30a4e962787a1621a9116448c142e3a16ca909","src/addr_valid.rs":"53a301a3ab717ef78a886a54611bdcc324b21f1dd4f59e2943ae3978c5980990","src/cc/classic_cc.rs":"c2705695ce42cfdd43dc6f0e908d78b5e0ce20fde38c9033708b060330ac1f31","src/cc/cubic.rs":"1c8eb0a0945874be26a3c144d01fa8427a384c2e1aebafb1d293041811039e24","src/cc/mod.rs":"b290fcda18bc0fab2808a57dc0136b1e8721459175d12de5cf81164920f9b6fb","src/cc/new_reno.rs":"f438b5ab39413f8a9dad3575c6229bbae12140a316d8da34b5dcd9397551d5f7","src/cc/tests/cubic.rs":"79f17c380626b8ec26a8b4e070d2da1c9dd973890f1939afa5c606183a7d7a34","src/cc/tests/mod.rs":"017bf402a9a8c71b5c43343677635644babb57a849d81d0affc328b4b4b9cebb","src/cc/tests/new_reno.rs":"de2919e8c7e7e07fb8e14bb643518180ecf21de11fe76a6a84face9e38fc2122","src/cid.rs":"c20083329534206551c0a7b84bf677af1145d4af25b78640c4e92f37ae89ff52","src/connection/idle.rs":"a7d261859f3b62a2c9dc786367371dd114d6d2060bd32eba221177c07d2c8032","src/connection/mod.rs":"b31177e05d11516c02c983019d44531a2d56b15ccb5c25713e3bf5f5212e23bd","src/connection/params.rs":"ef23708f9b0a7f526e5224ed489055a499909384ef501cb96503e4e98c66dd1b","src/connection/saved.rs":"db677a12e4528a97c4d27e31f0f08d70b8fed0bfad460bbc84c42fa0941b0db3","src/connection/state.rs":"0be17df5d535f4c704d685a439054e7a9f3070ee080d778f4b89a5ae79ff5335","src/connection/test_internal.rs":"f3ebfe97b25c9c716d41406066295e5aff4e96a3051ef4e2b5fb258282bbc14c","src/connection/tests/ackrate.rs":"3a242d85de100dc7500074969fab12a64e62f6a48994a5486d28e15c27c4faa1","src/connection/tests/cc.rs":"e32a5e435435584147a832ef8af610b42e79650d2e3b23dcfea96a2056ca4311","src/connection/tests/close.rs":"c3b858cb403391879f7ed1d46790c65ff3fe05f80ace2cdb8b7128f974537fe7","src/connection/tests/datagram.rs":"7941f1917a78cfabb6f3d1b5fb010215c9278b75a39a2f568c1780304d5e98af","src/connection/tests/ecn.rs":"247cbc07eef9a39ca7c64e092f8237e91e264abd9b10e4e23a1d816c899f59c8","src/connection/tests/handshake.rs":"806bbc8386591276beefcfffeeee7de9da7caf7d97ae59368fda7021aaa948e4","src/connection/tests/idle.rs":"0ddcd7d736e45bc81e25b18e344753d00d53dba06b305006f7150d2446f63687","src/connection/tests/keys.rs":"6ced623655b18fbbd00a6b34663be8eccad0fd7b869029e11b71da3d731f63f6","src/connection/tests/migration.rs":"0c3499c6bb89cb2a89ad4252603292f00339142ce5236fc282351c01fd090886","src/connection/tests/mod.rs":"0b4e2385d376a08e37c4294b12c23e59fffaf973ce8931c4d37f5db03d83cc54","src/connection/tests/null.rs":"d39d34c895c40ea88bcc137cba43c34386ef9759c6f66f3487ffd41a5099feb8","src/connection/tests/priority.rs":"2f9ef42512cd05f5a3b7194b70ba0c25738b6f75901e4ca2258bf2cf2568d23a","src/connection/tests/recovery.rs":"fbc2353b6f9cbe4b047ec782c3a1108552f6f16e19bff29f3d41e7a42aa78060","src/connection/tests/resumption.rs":"1ff6b7005673f3bc9b791059946fbb4bf2b1f2677c737fa215e335e65bd0d582","src/connection/tests/stream.rs":"777e372827632172c5ceb1598f9b18bccf2a0a1ceba442ae09263dda58f0673e","src/connection/tests/vn.rs":"75127c42d20243ad553871b64a22b8c6953ca4d26bc0de898dfab34928d1e647","src/connection/tests/zerortt.rs":"94a5a705283c31f50f68a74c49d4bba4ba2a51d8122d9e50a14a831a902f8578","src/crypto.rs":"312d27efcb6ce334143f1c62ae821e2915f06b18284312de5af41adb9555b513","src/ecn.rs":"1f0ee1cee631ecf08f6db73c909e29609ab513a58d3c7e7a6f3622486dcb8477","src/events.rs":"2c5d9ddef25e7547c9aff9688f4489bcb1788453293692c5bf0681e09d88b685","src/fc.rs":"7fc2a8eaf99235d1dc3734c04c37d8a0b14fe2463d71fbbc9ce2d946ebd0ee3a","src/frame.rs":"a085a0adf7dc319958d49c91462d2c661a547f902d82448fc55c7df86fb6817a","src/lib.rs":"2bfcf602f5a9d83fcd8c90daee6d38403c341a6974dca0347dde057141b6e8e7","src/pace.rs":"a6c6754a21b59b7955a570162f12015bdc65c5f0e497ce650062a5a92d5abb06","src/packet/metadata.rs":"68ee0b9350bcb8bc1078de728e49695cd784a48d106da0128c1006c371d49b84","src/packet/mod.rs":"b68c79515d8ff76cc693fba9b945596ef8b2227a3baccd1c49bccc6b51b4950e","src/packet/retry.rs":"12d4564f9fa682e82fb9604bcace35b478efdd35407c884cff839d9e02d7fadf","src/path.rs":"96c1fedd5c701905112e9aa586efd4bbc2d858b36abc5be12cca1319165c1590","src/pmtud.rs":"304433d6a905946481a04fc765becbfc33ff120f28a96d71d59a3034c39e642d","src/qlog.rs":"0011e04e264032de77470b6dcf57d49aa5d69572c080670e0d8a10f522874f42","src/quic_datagrams.rs":"8c3ad548a184ab8e7039bf180a983815daf490821b98bcd1211fd29eab41f3d6","src/recovery/mod.rs":"852bd9cc8e72ccf059e9ae7600977c024b5c2cca847d08cbac1052075f657229","src/recovery/sent.rs":"f6d4e90c99cf3c77d990748825f65a638bbdfe170d0d09774000ec3b705243e1","src/recovery/token.rs":"5a274b0587c7754344c270d06627b8dd42f556cae0e957a6855a709d130cb4ac","src/recv_stream.rs":"c4feed193f84de9f944d8102b3d49206a3dc52da8c86ca882f41588934e4c5c4","src/rtt.rs":"cbfa57cf7c258126a00d1bc5584cd3ead8a0f6f85be893c4a86497d6cfbe2323","src/send_stream.rs":"baa24dcf37b77e840b40937ae5b1b48692db8632c7e07c22bdbae23056e7bea0","src/sender.rs":"070077996bd07c25abd63d3cf26bee94fd53bbca951ae1e987a7d50558685e53","src/server.rs":"6a5dbfb1115905bda3c98238f9d4bbf6d7f661c3363c2ef0578eef865af6aef6","src/sni.rs":"1cbfd737226ad9b28887fb96793056e1f9e747b3769aea6cfd77da986d8cf2e1","src/stats.rs":"072f7afc190fc9eaf7db05ba84f8a76243d50602c61efece56fde14605012966","src/stream_id.rs":"8b7827e84a77de8107259c68060d095fbdc3fe434eb21eb9f044faedf0c9cbf8","src/streams.rs":"663688d56ddf556276c39c42aa20058d41dafda3458bfc1dc8e3683787853fbb","src/tparams.rs":"2188aea252e52d9a5bbfe05719dac9644af7aacb77a2a8ed1ed3ce865d35c6a2","src/tracking.rs":"53547e384b72175da0ea8cab25dfaa2c4b377ee0c2280c091f097b2aad5781f1","src/version.rs":"3676e8d34211599f344e4b9daa21d3897b3ce56b2cae738bbc6552db03d4bdad","tests/common/mod.rs":"8a2f781a16e74760ea57a09c4fc9adfe6a8ce56a6ecb7b1e9445e37125ea8d88","tests/conn_vectors.rs":"0e4a1b92c02b527842c127b789e70f6c4372c2b61b1a59a8e695f744ce155e2a","tests/connection.rs":"46be10c37090516c2fc4837059b3e5c8caf5ed7db9bc379ecf996a2f6e6b101a","tests/network.rs":"2e49aeca3dd1457758a13a56f48ddcd0d5af921e9aca59ed831b95ef4311dc1b","tests/retry.rs":"4306a4fd1d02449f1675882af1f09901a8ed4fe744a1daae189090292c81711c","tests/server.rs":"327880d12d84c3d164461888bc22311634a28eb0b559583a0126cbca0771fb59","tests/sni.rs":"2cbcfe218f43fa8c0a8da0497d8aed1ca2e590f41071428d85e3c3bca6135063","tests/stats.rs":"af8c1da46e984b55b172118aff4ad33be2375443f405e297d40981e65eb4d0cf"},"package":null} +\ No newline at end of file ++{"files":{"Cargo.toml":"b112e3e53a47e19caa358f4f77cbe1fea81dbceffbe03dd97823295726819a84","benches/min_bandwidth.rs":"11eeb817276c10522159662d1112acae00facbf6a0c8da1d94d0a50583fdf38c","benches/range_tracker.rs":"754871ef02608efab05f00c7dc6ad8ac559d0c2feb2072ea0f036c26b6285a8d","benches/rx_stream_orderer.rs":"2e15891b1db102ed7abdd07d1524acf6d5c0e0c32d935c735c04c40becda5718","benches/sent_packets.rs":"4f32d5c64d6b168b224e928abb647a3b42d54ed18cdec81e6ba6eae61be569bd","benches/transfer.rs":"933cf28a499e1376ce3d9c3130bd2ee69f0da9a99606a95e96328068640d6179","build.rs":"78ec79c93bf13c3a40ceef8bba1ea2eada61c8f2dfc15ea7bf117958d367949c","src/ackrate.rs":"e826470adf7f050bc217fd78df30a4e962787a1621a9116448c142e3a16ca909","src/addr_valid.rs":"53a301a3ab717ef78a886a54611bdcc324b21f1dd4f59e2943ae3978c5980990","src/cc/classic_cc.rs":"c2705695ce42cfdd43dc6f0e908d78b5e0ce20fde38c9033708b060330ac1f31","src/cc/cubic.rs":"1c8eb0a0945874be26a3c144d01fa8427a384c2e1aebafb1d293041811039e24","src/cc/mod.rs":"b290fcda18bc0fab2808a57dc0136b1e8721459175d12de5cf81164920f9b6fb","src/cc/new_reno.rs":"f438b5ab39413f8a9dad3575c6229bbae12140a316d8da34b5dcd9397551d5f7","src/cc/tests/cubic.rs":"79f17c380626b8ec26a8b4e070d2da1c9dd973890f1939afa5c606183a7d7a34","src/cc/tests/mod.rs":"017bf402a9a8c71b5c43343677635644babb57a849d81d0affc328b4b4b9cebb","src/cc/tests/new_reno.rs":"de2919e8c7e7e07fb8e14bb643518180ecf21de11fe76a6a84face9e38fc2122","src/cid.rs":"c20083329534206551c0a7b84bf677af1145d4af25b78640c4e92f37ae89ff52","src/connection/idle.rs":"a7d261859f3b62a2c9dc786367371dd114d6d2060bd32eba221177c07d2c8032","src/connection/mod.rs":"b31177e05d11516c02c983019d44531a2d56b15ccb5c25713e3bf5f5212e23bd","src/connection/params.rs":"ef23708f9b0a7f526e5224ed489055a499909384ef501cb96503e4e98c66dd1b","src/connection/saved.rs":"db677a12e4528a97c4d27e31f0f08d70b8fed0bfad460bbc84c42fa0941b0db3","src/connection/state.rs":"0be17df5d535f4c704d685a439054e7a9f3070ee080d778f4b89a5ae79ff5335","src/connection/test_internal.rs":"f3ebfe97b25c9c716d41406066295e5aff4e96a3051ef4e2b5fb258282bbc14c","src/connection/tests/ackrate.rs":"3a242d85de100dc7500074969fab12a64e62f6a48994a5486d28e15c27c4faa1","src/connection/tests/cc.rs":"e32a5e435435584147a832ef8af610b42e79650d2e3b23dcfea96a2056ca4311","src/connection/tests/close.rs":"c3b858cb403391879f7ed1d46790c65ff3fe05f80ace2cdb8b7128f974537fe7","src/connection/tests/datagram.rs":"7941f1917a78cfabb6f3d1b5fb010215c9278b75a39a2f568c1780304d5e98af","src/connection/tests/ecn.rs":"247cbc07eef9a39ca7c64e092f8237e91e264abd9b10e4e23a1d816c899f59c8","src/connection/tests/handshake.rs":"806bbc8386591276beefcfffeeee7de9da7caf7d97ae59368fda7021aaa948e4","src/connection/tests/idle.rs":"0ddcd7d736e45bc81e25b18e344753d00d53dba06b305006f7150d2446f63687","src/connection/tests/keys.rs":"6ced623655b18fbbd00a6b34663be8eccad0fd7b869029e11b71da3d731f63f6","src/connection/tests/migration.rs":"0c3499c6bb89cb2a89ad4252603292f00339142ce5236fc282351c01fd090886","src/connection/tests/mod.rs":"0b4e2385d376a08e37c4294b12c23e59fffaf973ce8931c4d37f5db03d83cc54","src/connection/tests/null.rs":"d39d34c895c40ea88bcc137cba43c34386ef9759c6f66f3487ffd41a5099feb8","src/connection/tests/priority.rs":"2f9ef42512cd05f5a3b7194b70ba0c25738b6f75901e4ca2258bf2cf2568d23a","src/connection/tests/recovery.rs":"fbc2353b6f9cbe4b047ec782c3a1108552f6f16e19bff29f3d41e7a42aa78060","src/connection/tests/resumption.rs":"1ff6b7005673f3bc9b791059946fbb4bf2b1f2677c737fa215e335e65bd0d582","src/connection/tests/stream.rs":"777e372827632172c5ceb1598f9b18bccf2a0a1ceba442ae09263dda58f0673e","src/connection/tests/vn.rs":"75127c42d20243ad553871b64a22b8c6953ca4d26bc0de898dfab34928d1e647","src/connection/tests/zerortt.rs":"94a5a705283c31f50f68a74c49d4bba4ba2a51d8122d9e50a14a831a902f8578","src/crypto.rs":"3ea51742021e6c4d3b7f69747a80baf35a1166f0a3caac521dc8aa5c3181e40b","src/ecn.rs":"1f0ee1cee631ecf08f6db73c909e29609ab513a58d3c7e7a6f3622486dcb8477","src/events.rs":"2c5d9ddef25e7547c9aff9688f4489bcb1788453293692c5bf0681e09d88b685","src/fc.rs":"7fc2a8eaf99235d1dc3734c04c37d8a0b14fe2463d71fbbc9ce2d946ebd0ee3a","src/frame.rs":"a085a0adf7dc319958d49c91462d2c661a547f902d82448fc55c7df86fb6817a","src/lib.rs":"2bfcf602f5a9d83fcd8c90daee6d38403c341a6974dca0347dde057141b6e8e7","src/pace.rs":"a6c6754a21b59b7955a570162f12015bdc65c5f0e497ce650062a5a92d5abb06","src/packet/metadata.rs":"68ee0b9350bcb8bc1078de728e49695cd784a48d106da0128c1006c371d49b84","src/packet/mod.rs":"b68c79515d8ff76cc693fba9b945596ef8b2227a3baccd1c49bccc6b51b4950e","src/packet/retry.rs":"12d4564f9fa682e82fb9604bcace35b478efdd35407c884cff839d9e02d7fadf","src/path.rs":"96c1fedd5c701905112e9aa586efd4bbc2d858b36abc5be12cca1319165c1590","src/pmtud.rs":"304433d6a905946481a04fc765becbfc33ff120f28a96d71d59a3034c39e642d","src/qlog.rs":"0011e04e264032de77470b6dcf57d49aa5d69572c080670e0d8a10f522874f42","src/quic_datagrams.rs":"8c3ad548a184ab8e7039bf180a983815daf490821b98bcd1211fd29eab41f3d6","src/recovery/mod.rs":"852bd9cc8e72ccf059e9ae7600977c024b5c2cca847d08cbac1052075f657229","src/recovery/sent.rs":"f6d4e90c99cf3c77d990748825f65a638bbdfe170d0d09774000ec3b705243e1","src/recovery/token.rs":"5a274b0587c7754344c270d06627b8dd42f556cae0e957a6855a709d130cb4ac","src/recv_stream.rs":"c4feed193f84de9f944d8102b3d49206a3dc52da8c86ca882f41588934e4c5c4","src/rtt.rs":"cbfa57cf7c258126a00d1bc5584cd3ead8a0f6f85be893c4a86497d6cfbe2323","src/send_stream.rs":"baa24dcf37b77e840b40937ae5b1b48692db8632c7e07c22bdbae23056e7bea0","src/sender.rs":"070077996bd07c25abd63d3cf26bee94fd53bbca951ae1e987a7d50558685e53","src/server.rs":"6a5dbfb1115905bda3c98238f9d4bbf6d7f661c3363c2ef0578eef865af6aef6","src/sni.rs":"1cbfd737226ad9b28887fb96793056e1f9e747b3769aea6cfd77da986d8cf2e1","src/stats.rs":"072f7afc190fc9eaf7db05ba84f8a76243d50602c61efece56fde14605012966","src/stream_id.rs":"8b7827e84a77de8107259c68060d095fbdc3fe434eb21eb9f044faedf0c9cbf8","src/streams.rs":"663688d56ddf556276c39c42aa20058d41dafda3458bfc1dc8e3683787853fbb","src/tparams.rs":"2188aea252e52d9a5bbfe05719dac9644af7aacb77a2a8ed1ed3ce865d35c6a2","src/tracking.rs":"53547e384b72175da0ea8cab25dfaa2c4b377ee0c2280c091f097b2aad5781f1","src/version.rs":"3676e8d34211599f344e4b9daa21d3897b3ce56b2cae738bbc6552db03d4bdad","tests/common/mod.rs":"8a2f781a16e74760ea57a09c4fc9adfe6a8ce56a6ecb7b1e9445e37125ea8d88","tests/conn_vectors.rs":"0e4a1b92c02b527842c127b789e70f6c4372c2b61b1a59a8e695f744ce155e2a","tests/connection.rs":"46be10c37090516c2fc4837059b3e5c8caf5ed7db9bc379ecf996a2f6e6b101a","tests/network.rs":"2e49aeca3dd1457758a13a56f48ddcd0d5af921e9aca59ed831b95ef4311dc1b","tests/retry.rs":"4306a4fd1d02449f1675882af1f09901a8ed4fe744a1daae189090292c81711c","tests/server.rs":"327880d12d84c3d164461888bc22311634a28eb0b559583a0126cbca0771fb59","tests/sni.rs":"2cbcfe218f43fa8c0a8da0497d8aed1ca2e590f41071428d85e3c3bca6135063","tests/stats.rs":"af8c1da46e984b55b172118aff4ad33be2375443f405e297d40981e65eb4d0cf"},"package":null} +\ No newline at end of file +diff --git a/third_party/rust/neqo-transport/src/crypto.rs b/third_party/rust/neqo-transport/src/crypto.rs +index f0ffbc40fa..219d005946 100644 +--- a/third_party/rust/neqo-transport/src/crypto.rs ++++ b/third_party/rust/neqo-transport/src/crypto.rs +@@ -22,7 +22,7 @@ use neqo_crypto::{ + PrivateKey, PublicKey, Record, RecordList, ResumptionToken, SymKey, ZeroRttChecker, + TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_CT_HANDSHAKE, + TLS_GRP_EC_SECP256R1, TLS_GRP_EC_SECP384R1, TLS_GRP_EC_SECP521R1, TLS_GRP_EC_X25519, +- TLS_GRP_KEM_MLKEM768X25519, TLS_VERSION_1_3, ++ TLS_GRP_KEM_MLKEM768X25519, TLS_GRP_KEM_MLKEM768SECP256R1, TLS_VERSION_1_3, + }; + + use crate::{ +@@ -81,6 +81,7 @@ impl Crypto { + ])?; + agent.set_groups(if conn_params.mlkem_enabled() { + &[ ++ TLS_GRP_KEM_MLKEM768SECP256R1, + TLS_GRP_KEM_MLKEM768X25519, + TLS_GRP_EC_X25519, + TLS_GRP_EC_SECP256R1, diff --git a/SOURCES/thunderbird-enable-ml-dsa-in-manager-ssl.patch b/SOURCES/thunderbird-enable-ml-dsa-in-manager-ssl.patch new file mode 100644 index 0000000..f130b7f --- /dev/null +++ b/SOURCES/thunderbird-enable-ml-dsa-in-manager-ssl.patch @@ -0,0 +1,48 @@ +diff --git a/security/manager/ssl/nsNSSCallbacks.cpp b/security/manager/ssl/nsNSSCallbacks.cpp +index 2dc48c9f4c..0a7b84d787 100644 +--- a/security/manager/ssl/nsNSSCallbacks.cpp ++++ b/security/manager/ssl/nsNSSCallbacks.cpp +@@ -722,6 +722,15 @@ nsCString getSignatureName(uint32_t aSignatureScheme) { + case ssl_sig_rsa_pkcs1_sha1md5: + signatureName = "RSA-PKCS1-SHA1MD5"_ns; + break; ++ case ssl_sig_mldsa44: ++ signatureName = "ML-DSA-44"_ns; ++ break; ++ case ssl_sig_mldsa65: ++ signatureName = "ML-DSA-65"_ns; ++ break; ++ case ssl_sig_mldsa87: ++ signatureName = "ML-DSA-87"_ns; ++ break; + // All other groups are not enabled in Firefox. See sEnabledSignatureSchemes + // in nsNSSIOLayer.cpp. + default: +@@ -1061,6 +1070,13 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) { + glean::ssl::auth_ecdsa_curve_full.AccumulateSingleSample( + ECCCurve(channelInfo.authKeyBits)); + break; ++ case ssl_auth_mldsa44: ++ case ssl_auth_mldsa65: ++ case ssl_auth_mldsa87: ++ /* TODO: add auth_mldsa_key_size_full in ssl/metrics.yaml ++ glean::ssl::auth_mldsa_key_size_full.AccumulateSingleSample( ++ NonECCKeySize(channelInfo.authKeyBits)); */ ++ break; + default: + MOZ_CRASH("impossible auth algorithm"); + break; +diff --git a/security/manager/ssl/nsNSSIOLayer.cpp b/security/manager/ssl/nsNSSIOLayer.cpp +index b1a5f5c2df..7443011b13 100644 +--- a/security/manager/ssl/nsNSSIOLayer.cpp ++++ b/security/manager/ssl/nsNSSIOLayer.cpp +@@ -1300,6 +1300,9 @@ static PRFileDesc* nsSSLIOLayerImportFD(PRFileDesc* fd, + // Please change getSignatureName in nsNSSCallbacks.cpp when changing the list + // here. See NOTE at SSL_SignatureSchemePrefSet call site. + static const SSLSignatureScheme sEnabledSignatureSchemes[] = { ++ ssl_sig_mldsa87, ++ ssl_sig_mldsa65, ++ ssl_sig_mldsa44, + ssl_sig_ecdsa_secp256r1_sha256, + ssl_sig_ecdsa_secp384r1_sha384, + ssl_sig_ecdsa_secp521r1_sha512, diff --git a/SOURCES/thunderbird-enable-ml-dsa-signature-verification-for-certificate-chain-validation.patch b/SOURCES/thunderbird-enable-ml-dsa-signature-verification-for-certificate-chain-validation.patch new file mode 100644 index 0000000..a14a70e --- /dev/null +++ b/SOURCES/thunderbird-enable-ml-dsa-signature-verification-for-certificate-chain-validation.patch @@ -0,0 +1,239 @@ +diff --git a/security/nss/lib/mozpkix/include/pkix/pkixder.h b/security/nss/lib/mozpkix/include/pkix/pkixder.h +index ac1ec24393..40eb5027af 100644 +--- a/security/nss/lib/mozpkix/include/pkix/pkixder.h ++++ b/security/nss/lib/mozpkix/include/pkix/pkixder.h +@@ -488,7 +488,7 @@ inline Result OptionalExtensions(Reader& input, uint8_t tag, + Result DigestAlgorithmIdentifier(Reader& input, + /*out*/ DigestAlgorithm& algorithm); + +-enum class PublicKeyAlgorithm { RSA_PKCS1, RSA_PSS, ECDSA }; ++enum class PublicKeyAlgorithm { RSA_PKCS1, RSA_PSS, ECDSA, MLDSA }; + + Result SignatureAlgorithmIdentifierValue( + Reader& input, +diff --git a/security/nss/lib/mozpkix/include/pkix/pkixnss.h b/security/nss/lib/mozpkix/include/pkix/pkixnss.h +index 6711959e71..b87e88a599 100644 +--- a/security/nss/lib/mozpkix/include/pkix/pkixnss.h ++++ b/security/nss/lib/mozpkix/include/pkix/pkixnss.h +@@ -50,6 +50,13 @@ Result VerifyECDSASignedDataNSS(Input data, DigestAlgorithm digestAlgorithm, + Input signature, Input subjectPublicKeyInfo, + void* pkcs11PinArg); + ++// Verifies the ML-DSA signature on the given data using the given ML-DSA ++// public key ++Result VerifyMLDSASignedDataNSS(Input data, ++ Input signature, ++ Input subjectPublicKeyInfo, ++ void* pkcs11PinArg); ++ + // Computes the digest of the given data using the given digest algorithm. + // + // item contains the data to hash. +diff --git a/security/nss/lib/mozpkix/include/pkix/pkixtypes.h b/security/nss/lib/mozpkix/include/pkix/pkixtypes.h +index 6a07d6e885..f24bd546e4 100644 +--- a/security/nss/lib/mozpkix/include/pkix/pkixtypes.h ++++ b/security/nss/lib/mozpkix/include/pkix/pkixtypes.h +@@ -334,6 +334,10 @@ class TrustDomain { + Input signature, + Input subjectPublicKeyInfo) = 0; + ++ virtual Result VerifyMLDSASignedData(Input data, ++ Input signature, ++ Input subjectPublicKeyInfo) = 0; ++ + // Check that the validity duration is acceptable. + // + // Return Success if the validity duration is acceptable, +diff --git a/security/nss/lib/mozpkix/lib/pkixc.cpp b/security/nss/lib/mozpkix/lib/pkixc.cpp +index 5dea13c43e..f797a3b3a1 100644 +--- a/security/nss/lib/mozpkix/lib/pkixc.cpp ++++ b/security/nss/lib/mozpkix/lib/pkixc.cpp +@@ -143,6 +143,15 @@ class CodeSigningTrustDomain final : public TrustDomain { + subjectPublicKeyInfo, nullptr); + } + ++ virtual Result VerifyMLDSASignedData(Input data, ++ Input signature, ++ Input subjectPublicKeyInfo) override { ++ return VerifyMLDSASignedDataNSS(data, ++ signature, ++ subjectPublicKeyInfo, ++ nullptr); ++ } ++ + virtual Result CheckValidityIsAcceptable(Time notBefore, Time notAfter, + EndEntityOrCA endEntityOrCA, + KeyPurposeId keyPurpose) override { +diff --git a/security/nss/lib/mozpkix/lib/pkixcheck.cpp b/security/nss/lib/mozpkix/lib/pkixcheck.cpp +index 8b7e1bf73e..4ce73f3944 100644 +--- a/security/nss/lib/mozpkix/lib/pkixcheck.cpp ++++ b/security/nss/lib/mozpkix/lib/pkixcheck.cpp +@@ -118,6 +118,9 @@ CheckSignatureAlgorithm(TrustDomain& trustDomain, + // for any curve that we support, the chances of us encountering a curve + // during path building is too low to be worth bothering with. + break; ++ ++ case der::PublicKeyAlgorithm::MLDSA: ++ break; + MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM + } + +@@ -248,6 +251,24 @@ CheckSubjectPublicKeyInfoContents(Reader& input, TrustDomain& trustDomain, + 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01 + }; + ++ // Params for pure ML-DSA-44 signature ++ // python DottedOIDToCode.py id-ml-dsa-44 2.16.840.1.101.3.4.3.17 ++ static const uint8_t id_ml_dsa_44[] = { ++ 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x03, 0x11 ++ }; ++ ++ // Params for pure ML-DSA-65 signature ++ // python DottedOIDToCode.py id-ml-dsa-65 2.16.840.1.101.3.4.3.18 ++ static const uint8_t id_ml_dsa_65[] = { ++ 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x03, 0x12 ++ }; ++ ++ // Params for pure ML-DSA-87 signature ++ // python DottedOIDToCode.py id-ml-dsa-87 2.16.840.1.101.3.4.3.19 ++ static const uint8_t id_ml_dsa_87[] = { ++ 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x03, 0x13 ++ }; ++ + if (algorithmOID.MatchRest(id_ecPublicKey)) { + // An id-ecPublicKey AlgorithmIdentifier has a parameter that identifes + // the curve being used. Although RFC 5480 specifies multiple forms, we +@@ -361,6 +382,30 @@ CheckSubjectPublicKeyInfoContents(Reader& input, TrustDomain& trustDomain, + if (rv != Success) { + return rv; + } ++ } else if (algorithmOID.MatchRest(id_ml_dsa_44) || ++ algorithmOID.MatchRest(id_ml_dsa_65) || ++ algorithmOID.MatchRest(id_ml_dsa_87)) { ++ ++ /* ++ * The ML-DSA AlgorithmIdentifier is expected to contain only the OID, ++ * with no parameters field present. According to the Internet-Draft ++ * https://www.ietf.org/archive/id/draft-ietf-lamps-dilithium-certificates-11.html ++ * (Section 3), the AlgorithmIdentifier for ML-DSA variants must omit the `parameters` ++ * field entirely. ++ * In DER encoding, the absence of the parameters field means that after parsing the ++ * OID, no additional bytes should remain. Calling `der::End(algorithm)` confirms that ++ * this constraint is satisfied and that the structure is correctly encoded. ++ */ ++ rv = der::End(algorithm); ++ if (rv != Success) { ++ return rv; ++ } ++ ++ Input rawPublicKey; ++ rv = subjectPublicKeyReader.SkipToEnd(rawPublicKey); ++ if (rv != Success) { ++ return rv; ++ } + } else { + return Result::ERROR_UNSUPPORTED_KEYALG; + } +diff --git a/security/nss/lib/mozpkix/lib/pkixder.cpp b/security/nss/lib/mozpkix/lib/pkixder.cpp +index 59454c7d3c..4ff45ed566 100644 +--- a/security/nss/lib/mozpkix/lib/pkixder.cpp ++++ b/security/nss/lib/mozpkix/lib/pkixder.cpp +@@ -211,6 +211,24 @@ SignatureAlgorithmIdentifierValue(Reader& input, + 0x00, 0xa2, 0x03, 0x02, 0x01, 0x40 + }; + ++ // Params for pure ML-DSA-44 signature ++ // python DottedOIDToCode.py id-ml-dsa-44 2.16.840.1.101.3.4.3.17 ++ static const uint8_t id_ml_dsa_44[] = { ++ 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x03, 0x11 ++ }; ++ ++ // Params for pure ML-DSA-65 signature ++ // python DottedOIDToCode.py id-ml-dsa-65 2.16.840.1.101.3.4.3.18 ++ static const uint8_t id_ml_dsa_65[] = { ++ 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x03, 0x12 ++ }; ++ ++ // Params for pure ML-DSA-87 signature ++ // python DottedOIDToCode.py id-ml-dsa-87 2.16.840.1.101.3.4.3.19 ++ static const uint8_t id_ml_dsa_87[] = { ++ 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x03, 0x13 ++ }; ++ + // Matching is attempted based on a rough estimate of the commonality of the + // algorithm, to minimize the number of MatchRest calls. + if (algorithmID.MatchRest(sha256WithRSAEncryption)) { +@@ -252,6 +270,10 @@ SignatureAlgorithmIdentifierValue(Reader& input, + } else { + return Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED; + } ++ } else if (algorithmID.MatchRest(id_ml_dsa_44) || ++ algorithmID.MatchRest(id_ml_dsa_65) || ++ algorithmID.MatchRest(id_ml_dsa_87)) { ++ publicKeyAlgorithm = PublicKeyAlgorithm::MLDSA; + } else { + return Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED; + } +diff --git a/security/nss/lib/mozpkix/lib/pkixnss.cpp b/security/nss/lib/mozpkix/lib/pkixnss.cpp +index 606ef708d8..31aa1ddd67 100644 +--- a/security/nss/lib/mozpkix/lib/pkixnss.cpp ++++ b/security/nss/lib/mozpkix/lib/pkixnss.cpp +@@ -303,6 +303,44 @@ DigestBufNSS(Input item, + return Success; + } + ++Result ++VerifyMLDSASignedDataNSS(Input data, ++ Input signature, ++ Input subjectPublicKeyInfo, ++ void* pkcs11PinArg) ++{ ++ ScopedSECKEYPublicKey publicKey; ++ SECKEYPublicKey *pubk = NULL; ++ SECOidTag signaturePolicyTag, hashPolicyTag; ++ Result rv = SubjectPublicKeyInfoToSECKEYPublicKey(subjectPublicKeyInfo, ++ publicKey); ++ if (rv != Success) { ++ return rv; ++ } ++ ++ pubk = publicKey.get(); ++ SECItem signatureItem(UnsafeMapInputToSECItem(signature)); ++ SECItem dataItem(UnsafeMapInputToSECItem(data)); ++ CK_MECHANISM_TYPE mechanism; ++ ++ switch (pubk->u.mldsa.paramSet) { ++ case SEC_OID_ML_DSA_44: ++ case SEC_OID_ML_DSA_65: ++ case SEC_OID_ML_DSA_87: ++ mechanism = CKM_ML_DSA; ++ signaturePolicyTag = pubk->u.mldsa.paramSet; ++ hashPolicyTag = SEC_OID_UNKNOWN; ++ break; ++ default: ++ return Result::ERROR_UNSUPPORTED_KEYALG; ++ break; ++ } ++ ++ SECOidTag policyTags[2] = {signaturePolicyTag, hashPolicyTag}; ++ return VerifySignedData(pubk, mechanism, nullptr, &signatureItem, ++ &dataItem, policyTags, pkcs11PinArg); ++} ++ + Result + MapPRErrorCodeToResult(PRErrorCode error) + { +diff --git a/security/nss/lib/mozpkix/lib/pkixverify.cpp b/security/nss/lib/mozpkix/lib/pkixverify.cpp +index 8cb58bf7de..ff132d89df 100644 +--- a/security/nss/lib/mozpkix/lib/pkixverify.cpp ++++ b/security/nss/lib/mozpkix/lib/pkixverify.cpp +@@ -53,6 +53,9 @@ VerifySignedData(TrustDomain& trustDomain, + case der::PublicKeyAlgorithm::RSA_PSS: + return trustDomain.VerifyRSAPSSSignedData(signedData.data, + digestAlgorithm, signedData.signature, signerSubjectPublicKeyInfo); ++ case der::PublicKeyAlgorithm::MLDSA: ++ return trustDomain.VerifyMLDSASignedData(signedData.data, ++ signedData.signature, signerSubjectPublicKeyInfo); + MOZILLA_PKIX_UNREACHABLE_DEFAULT_ENUM + } + } diff --git a/SOURCES/thunderbird-integrate-ml-dsa-signature-verification-for-pkix-certificate-chain-validation.patch b/SOURCES/thunderbird-integrate-ml-dsa-signature-verification-for-pkix-certificate-chain-validation.patch new file mode 100644 index 0000000..9cb4553 --- /dev/null +++ b/SOURCES/thunderbird-integrate-ml-dsa-signature-verification-for-pkix-certificate-chain-validation.patch @@ -0,0 +1,247 @@ +diff --git a/netwerk/protocol/http/WebTransportCertificateVerifier.cpp b/netwerk/protocol/http/WebTransportCertificateVerifier.cpp +index cc778640a1..298d6a61e8 100644 +--- a/netwerk/protocol/http/WebTransportCertificateVerifier.cpp ++++ b/netwerk/protocol/http/WebTransportCertificateVerifier.cpp +@@ -53,6 +53,10 @@ class ServerCertHashesTrustDomain : public mozilla::pkix::TrustDomain { + mozilla::pkix::Input signature, + mozilla::pkix::Input subjectPublicKeyInfo) override; + ++ virtual mozilla::pkix::Result VerifyMLDSASignedData( ++ mozilla::pkix::Input data, mozilla::pkix::Input signature, ++ mozilla::pkix::Input subjectPublicKeyInfo) override; ++ + virtual mozilla::pkix::Result DigestBuf( + mozilla::pkix::Input item, mozilla::pkix::DigestAlgorithm digestAlg, + /*out*/ uint8_t* digestBuf, size_t digestBufLen) override; +@@ -151,6 +155,14 @@ mozilla::pkix::Result ServerCertHashesTrustDomain::VerifyECDSASignedData( + return mozilla::pkix::Result::FATAL_ERROR_LIBRARY_FAILURE; + } + ++mozilla::pkix::Result ServerCertHashesTrustDomain::VerifyMLDSASignedData( ++ mozilla::pkix::Input data, mozilla::pkix::Input signature, ++ mozilla::pkix::Input subjectPublicKeyInfo) { ++ MOZ_ASSERT_UNREACHABLE("not expecting this to be called"); ++ ++ return mozilla::pkix::Result::FATAL_ERROR_LIBRARY_FAILURE; ++} ++ + mozilla::pkix::Result ServerCertHashesTrustDomain::DigestBuf( + mozilla::pkix::Input item, mozilla::pkix::DigestAlgorithm digestAlg, + /*out*/ uint8_t* digestBuf, size_t digestBufLen) { +diff --git a/security/certverifier/CertVerifier.cpp b/security/certverifier/CertVerifier.cpp +index ca330770fb..1e8f1d4996 100644 +--- a/security/certverifier/CertVerifier.cpp ++++ b/security/certverifier/CertVerifier.cpp +@@ -7,6 +7,7 @@ + #include "CertVerifier.h" + + #include ++#include + + #include "AppTrustDomain.h" + #include "CTKnownLogs.h" +@@ -1010,7 +1011,7 @@ Result CertVerifier::VerifySSLServerCert( + void HashSignatureParams(pkix::Input data, pkix::Input signature, + pkix::Input subjectPublicKeyInfo, + pkix::der::PublicKeyAlgorithm publicKeyAlgorithm, +- pkix::DigestAlgorithm digestAlgorithm, ++ std::optional digestAlgorithm, + /*out*/ Maybe>& sha512Hash) { + sha512Hash.reset(); + Digest digest; +@@ -1048,10 +1049,14 @@ void HashSignatureParams(pkix::Input data, pkix::Input signature, + sizeof(publicKeyAlgorithm)))) { + return; + } +- if (NS_FAILED( +- digest.Update(reinterpret_cast(&digestAlgorithm), +- sizeof(digestAlgorithm)))) { +- return; ++ // There is no fallback digest algorithm when it's empty. ++ // Check that digestAlgorithm actually contains a value. ++ if (digestAlgorithm) { ++ pkix::DigestAlgorithm value = digestAlgorithm.value(); ++ if (NS_FAILED(digest.Update(reinterpret_cast(&value), ++ sizeof(value)))) { ++ return; ++ } + } + nsTArray result; + if (NS_FAILED(digest.End(result))) { +@@ -1064,10 +1069,17 @@ Result VerifySignedDataWithCache( + der::PublicKeyAlgorithm publicKeyAlg, + mozilla::glean::impl::DenominatorMetric telemetryDenominator, + mozilla::glean::impl::NumeratorMetric telemetryNumerator, Input data, +- DigestAlgorithm digestAlgorithm, Input signature, ++ std::optional digestAlgorithm, Input signature, + Input subjectPublicKeyInfo, SignatureCache* signatureCache, void* pinArg) { + telemetryDenominator.Add(1); + Maybe> sha512Hash; ++ ++ // Currently, it is only acceptable for `digestAlgorithm` to be null when the ++ // public key algorithm is pure ML-DSA. Fail immediately otherwise. ++ if ((publicKeyAlg != der::PublicKeyAlgorithm::MLDSA) && !digestAlgorithm) { ++ return Result::ERROR_INVALID_ALGORITHM; ++ } ++ + HashSignatureParams(data, signature, subjectPublicKeyInfo, publicKeyAlg, + digestAlgorithm, sha512Hash); + // If hashing the signature parameters succeeded, see if this signature is in +@@ -1080,16 +1092,23 @@ Result VerifySignedDataWithCache( + Result result; + switch (publicKeyAlg) { + case der::PublicKeyAlgorithm::ECDSA: +- result = VerifyECDSASignedDataNSS(data, digestAlgorithm, signature, +- subjectPublicKeyInfo, pinArg); ++ result = ++ VerifyECDSASignedDataNSS(data, digestAlgorithm.value(), signature, ++ subjectPublicKeyInfo, pinArg); + break; + case der::PublicKeyAlgorithm::RSA_PKCS1: +- result = VerifyRSAPKCS1SignedDataNSS(data, digestAlgorithm, signature, +- subjectPublicKeyInfo, pinArg); ++ result = ++ VerifyRSAPKCS1SignedDataNSS(data, digestAlgorithm.value(), signature, ++ subjectPublicKeyInfo, pinArg); + break; + case der::PublicKeyAlgorithm::RSA_PSS: +- result = VerifyRSAPSSSignedDataNSS(data, digestAlgorithm, signature, +- subjectPublicKeyInfo, pinArg); ++ result = ++ VerifyRSAPSSSignedDataNSS(data, digestAlgorithm.value(), signature, ++ subjectPublicKeyInfo, pinArg); ++ break; ++ case der::PublicKeyAlgorithm::MLDSA: ++ result = VerifyMLDSASignedDataNSS(data, signature, subjectPublicKeyInfo, ++ pinArg); + break; + default: + MOZ_ASSERT_UNREACHABLE("unhandled public key algorithm"); +diff --git a/security/certverifier/CertVerifier.h b/security/certverifier/CertVerifier.h +index 6432547c8a..6e09e6fcdd 100644 +--- a/security/certverifier/CertVerifier.h ++++ b/security/certverifier/CertVerifier.h +@@ -331,7 +331,8 @@ mozilla::pkix::Result VerifySignedDataWithCache( + mozilla::pkix::der::PublicKeyAlgorithm publicKeyAlg, + mozilla::glean::impl::DenominatorMetric telemetryDenominator, + mozilla::glean::impl::NumeratorMetric telemetryNumerator, +- mozilla::pkix::Input data, mozilla::pkix::DigestAlgorithm digestAlgorithm, ++ mozilla::pkix::Input data, ++ std::optional digestAlgorithm, + mozilla::pkix::Input signature, mozilla::pkix::Input subjectPublicKeyInfo, + SignatureCache* signatureCache, void* pinArg); + +diff --git a/security/certverifier/NSSCertDBTrustDomain.cpp b/security/certverifier/NSSCertDBTrustDomain.cpp +index 70ba17d70f..a3ace3cee7 100644 +--- a/security/certverifier/NSSCertDBTrustDomain.cpp ++++ b/security/certverifier/NSSCertDBTrustDomain.cpp +@@ -1541,6 +1541,15 @@ Result NSSCertDBTrustDomain::VerifyECDSASignedData( + signature, subjectPublicKeyInfo, mSignatureCache, mPinArg); + } + ++Result NSSCertDBTrustDomain::VerifyMLDSASignedData(Input data, Input signature, ++ Input subjectPublicKeyInfo) { ++ return VerifySignedDataWithCache( ++ der::PublicKeyAlgorithm::MLDSA, ++ mozilla::glean::cert_signature_cache::total, ++ mozilla::glean::cert_signature_cache::hits, data, std::nullopt, signature, ++ subjectPublicKeyInfo, mSignatureCache, mPinArg); ++} ++ + Result NSSCertDBTrustDomain::CheckValidityIsAcceptable( + Time notBefore, Time notAfter, EndEntityOrCA endEntityOrCA, + KeyPurposeId keyPurpose) { +diff --git a/security/certverifier/NSSCertDBTrustDomain.h b/security/certverifier/NSSCertDBTrustDomain.h +index fc210f3254..6178201758 100644 +--- a/security/certverifier/NSSCertDBTrustDomain.h ++++ b/security/certverifier/NSSCertDBTrustDomain.h +@@ -197,6 +197,10 @@ class NSSCertDBTrustDomain : public mozilla::pkix::TrustDomain { + mozilla::pkix::Input signature, + mozilla::pkix::Input subjectPublicKeyInfo) override; + ++ virtual Result VerifyMLDSASignedData( ++ mozilla::pkix::Input data, mozilla::pkix::Input signature, ++ mozilla::pkix::Input subjectPublicKeyInfo) override; ++ + virtual Result DigestBuf(mozilla::pkix::Input item, + mozilla::pkix::DigestAlgorithm digestAlg, + /*out*/ uint8_t* digestBuf, +diff --git a/security/ct/CTLogVerifier.cpp b/security/ct/CTLogVerifier.cpp +index d5e665aaca..471213745d 100644 +--- a/security/ct/CTLogVerifier.cpp ++++ b/security/ct/CTLogVerifier.cpp +@@ -99,6 +99,10 @@ class SignatureParamsTrustDomain final : public TrustDomain { + return pkix::Result::FATAL_ERROR_LIBRARY_FAILURE; + } + ++ pkix::Result VerifyMLDSASignedData(Input, Input, Input) override { ++ return pkix::Result::FATAL_ERROR_LIBRARY_FAILURE; ++ } ++ + pkix::Result CheckValidityIsAcceptable(Time, Time, EndEntityOrCA, + KeyPurposeId) override { + return pkix::Result::FATAL_ERROR_LIBRARY_FAILURE; +diff --git a/security/ct/tests/gtest/CTTestUtils.cpp b/security/ct/tests/gtest/CTTestUtils.cpp +index 6a25307ec3..dbec7adc91 100644 +--- a/security/ct/tests/gtest/CTTestUtils.cpp ++++ b/security/ct/tests/gtest/CTTestUtils.cpp +@@ -807,6 +807,12 @@ class OCSPExtensionTrustDomain : public TrustDomain { + subjectPublicKeyInfo, nullptr); + } + ++ pkix::Result VerifyMLDSASignedData(Input data, Input signature, ++ Input subjectPublicKeyInfo) override { ++ return VerifyMLDSASignedDataNSS(data, signature, subjectPublicKeyInfo, ++ nullptr); ++ } ++ + pkix::Result CheckValidityIsAcceptable(Time, Time, EndEntityOrCA, + KeyPurposeId) override { + ADD_FAILURE(); +diff --git a/security/manager/ssl/AppTrustDomain.cpp b/security/manager/ssl/AppTrustDomain.cpp +index ab49d7eb1f..3963f90eb1 100644 +--- a/security/manager/ssl/AppTrustDomain.cpp ++++ b/security/manager/ssl/AppTrustDomain.cpp +@@ -322,6 +322,12 @@ pkix::Result AppTrustDomain::VerifyECDSASignedData( + subjectPublicKeyInfo, nullptr); + } + ++pkix::Result AppTrustDomain::VerifyMLDSASignedData(Input data, Input signature, ++ Input subjectPublicKeyInfo) { ++ return VerifyMLDSASignedDataNSS(data, signature, subjectPublicKeyInfo, ++ nullptr); ++} ++ + pkix::Result AppTrustDomain::CheckValidityIsAcceptable( + Time /*notBefore*/, Time /*notAfter*/, EndEntityOrCA /*endEntityOrCA*/, + KeyPurposeId /*keyPurpose*/) { +diff --git a/security/manager/ssl/AppTrustDomain.h b/security/manager/ssl/AppTrustDomain.h +index 4b0212ede0..85fdff5f13 100644 +--- a/security/manager/ssl/AppTrustDomain.h ++++ b/security/manager/ssl/AppTrustDomain.h +@@ -80,6 +80,9 @@ class AppTrustDomain final : public mozilla::pkix::TrustDomain { + mozilla::pkix::DigestAlgorithm digestAlg, + /*out*/ uint8_t* digestBuf, + size_t digestBufLen) override; ++ virtual Result VerifyMLDSASignedData( ++ mozilla::pkix::Input data, mozilla::pkix::Input signature, ++ mozilla::pkix::Input subjectPublicKeyInfo) override; + + private: + nsTArray> mTrustedRoots; +diff --git a/security/manager/ssl/TLSClientAuthCertSelection.cpp b/security/manager/ssl/TLSClientAuthCertSelection.cpp +index 3a84b15ee6..a3dc5a1af1 100644 +--- a/security/manager/ssl/TLSClientAuthCertSelection.cpp ++++ b/security/manager/ssl/TLSClientAuthCertSelection.cpp +@@ -217,6 +217,11 @@ class ClientAuthCertNonverifyingTrustDomain final : public TrustDomain { + pkix::Input subjectPublicKeyInfo) override { + return pkix::Success; + } ++ virtual mozilla::pkix::Result VerifyMLDSASignedData( ++ pkix::Input data, pkix::Input signature, ++ pkix::Input subjectPublicKeyInfo) override { ++ return pkix::Success; ++ } + virtual mozilla::pkix::Result CheckValidityIsAcceptable( + pkix::Time notBefore, pkix::Time notAfter, + pkix::EndEntityOrCA endEntityOrCA, diff --git a/SOURCES/thunderbird-redhat-default-prefs.js b/SOURCES/thunderbird-redhat-default-prefs.js index 15faa7b..f13ee5b 100644 --- a/SOURCES/thunderbird-redhat-default-prefs.js +++ b/SOURCES/thunderbird-redhat-default-prefs.js @@ -12,8 +12,6 @@ pref("offline.autoDetect", true); /* Disable global indexing by default*/ pref("mailnews.database.global.indexer.enabled", false); -/* Do not switch to Smart Folders after upgrade to 3.0b4 */ -pref("mail.folder.views.version", "1"); pref("extensions.shownSelectionUI", true); pref("extensions.autoDisableScopes", 0); diff --git a/SOURCES/thunderbird.appdata.xml.in b/SOURCES/thunderbird.appdata.xml.in new file mode 100644 index 0000000..16c6ca8 --- /dev/null +++ b/SOURCES/thunderbird.appdata.xml.in @@ -0,0 +1,50 @@ + + + thunderbird + CC0-1.0 + Thunderbird + Thunderbird is a free and open source email, newsfeed, chat, and calendaring client + + +

+ Thunderbird is a free and open source email, newsfeed, chat, and + calendaring client, that’s easy to set up and customize. One of the core + principles of Thunderbird is the use and promotion of open standards - + this focus is a rejection of our world of closed platforms and services + that can’t communicate with each other. We want our users to have freedom + and choice in how they communicate. +

+

+ Thunderbird is an open source project, which means anyone can contribute + ideas, designs, code, and time helping fellow users. +

+ + + Calendar + Email + Office + + + https://www.thunderbird.net/ + https://bugzilla.mozilla.org/ + https://support.mozilla.org/kb/thunderbird-faq/ + https://support.mozilla.org/products/thunderbird/ + https://www.thunderbird.net/donate/ + https://www.thunderbird.net/participate/ + + Mozilla + MPL-2.0 + Thunderbird Project + + + message/rfc822 + x-scheme-handler/mailto + text/calendar + text/vcard + text/x-vcard + + + + + jhorak@redhat.com + diff --git a/SPECS/thunderbird.spec b/SPECS/thunderbird.spec index 8eed637..2c7b1f2 100644 --- a/SPECS/thunderbird.spec +++ b/SPECS/thunderbird.spec @@ -137,7 +137,7 @@ end} Summary: Mozilla Thunderbird mail/newsgroup client Name: thunderbird -Version: 140.4.0 +Version: 140.5.0 Release: 2%{?dist} URL: http://www.mozilla.org/projects/thunderbird/ License: MPLv1.1 or GPLv2+ or LGPLv2+ @@ -165,7 +165,7 @@ ExcludeArch: %{ix86} #Source0: https://archive.mozilla.org/pub/thunderbird/releases/%%{version}%%{?pre_version}/source/thunderbird-%%{version}%%{?pre_version}.processed-source.tar.xz Source0: thunderbird-%{version}%{?pre_version}%{?buildnum}.processed-source.tar.xz %if %{with langpacks} -Source1: thunderbird-langpacks-%{version}%{?pre_version}-20251013.tar.xz +Source1: thunderbird-langpacks-%{version}%{?pre_version}-20251111.tar.xz %endif Source2: cbindgen-vendor.tar.xz Source3: process-official-tarball @@ -177,6 +177,7 @@ Source24: mozilla-api-key Source25: thunderbird-symbolic.svg Source27: google-api-key Source32: node-stdout-nonblocking-wrapper +Source33: thunderbird.appdata.xml.in Source35: google-loc-api-key Source401: nss-setup-flags-env.inc Source402: nspr-4.36.0-2.el8_2.src.rpm @@ -218,6 +219,20 @@ Patch109: mozilla-bmo1789216-disable-av1.patch Patch110: build-libaom.patch Patch111: av1-else-condition-add.patch +# ML-DSA support +# https://phabricator.services.mozilla.com/D262395 +Patch120: thunderbird-integrate-ml-dsa-signature-verification-for-pkix-certificate-chain-validation.patch +# https://phabricator.services.mozilla.com/D262397 +Patch121: thunderbird-add-ml-dsa-certificate-support-to-certviewer.patch +# https://phabricator.services.mozilla.com/D264144 +Patch122: thunderbird-enable-ml-dsa-signature-verification-for-certificate-chain-validation.patch +# RHEL downstream only - adapts to ML-DSA support in NSS from RHEL 10 +Patch123: thunderbird-adapt-ml-dsa-support-to-rhel-nss.patch +# RHEL downstream only - enable ML-DSA in manager/ssl +Patch124: thunderbird-enable-ml-dsa-in-manager-ssl.patch +# RHEL downstream only - add mlkem768-secp256r1 support +Patch125: thunderbird-add-mlkem768-secp256r1-support.patch + # ---- Fedora specific patches ---- Patch151: firefox-enable-addons.patch Patch152: rhbz-1173156.patch @@ -1099,6 +1114,16 @@ echo "--------------------------------------------" %patch -P110 -p1 -b .libaom %patch -P111 -p1 -b .av1-else-condition-add +%if 0%{?rhel} >= 10 +# ML-DSA support +%patch -P120 -p1 -b .integrate-ml-dsa-signature-verification-for-pkix-certificate-chain-validation +%patch -P121 -p1 -b .add-ml-dsa-certificate-support-to-certviewer +%patch -P122 -p1 -b .enable-ml-dsa-signature-verification-for-certificate-chain-validation +%patch -P123 -p1 -b .adapt-ml-dsa-support-to-rhel-nss +%patch -P124 -p1 -b .enable-ml-dsa-in-manager-ssl +%patch -P125 -p1 -b .add-mlkem768-secp256r1-support +%endif + # ---- Fedora specific patches ---- %patch -P151 -p1 -b .addons %patch -P152 -p1 -b .rhbz-1173156 @@ -1569,15 +1594,10 @@ touch $RPM_BUILD_ROOT%{mozappdir}/components/xpti.dat %endif # Register as an application to be visible in the software center -mkdir -p $RPM_BUILD_ROOT%{_datadir}/metainfo -%{__cp} -p comm/mail/branding/%{name}/net.thunderbird.Thunderbird.appdata.xml $RPM_BUILD_ROOT%{_datadir}/metainfo/thunderbird.appdata.xml -%if 0%{?flatpak} -# don't specify icon for flatpak appdata, icons are correctly named and packaged already -# as org.mozilla.Thunderbird.png -sed -i -e 's|thunderbird|' "$RPM_BUILD_ROOT%{_datadir}/metainfo/thunderbird.appdata.xml" -%endif +mkdir -p %{buildroot}%{_datadir}/metainfo +%{__sed} -e "s/__VERSION__/%{version}/" \ + -e "s/__DATE__/$(date '+%Y-%m-%d')/" \ + %{SOURCE33} > %{buildroot}%{_datadir}/metainfo/thunderbird.appdata.xml # Clean the created bundled rpms. rm -rf %{_srcrpmdir}/libffi*.src.rpm @@ -1591,6 +1611,11 @@ find %{_rpmdir} -name "nspr*.rpm" -delete #=============================================================================== +%check +appstream-util validate-relax --nonet %{buildroot}%{_datadir}/metainfo/*.appdata.xml + +#=============================================================================== + %post update-desktop-database &> /dev/null || : touch --no-create %{_datadir}/icons/hicolor &>/dev/null || : @@ -1675,6 +1700,9 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : #=============================================================================== %changelog +* Tue Nov 11 2025 Jan Horak - 140.5.0-2 +- Update to 140.5.0 ESR + * Mon Oct 13 2025 Jan Horak - 140.4.0-2 - Update to 140.4.0 ESR